SDN-Based DDoS Attack Prevention Method, Apparatus, and System

ABSTRACT

A software defined networking (SDN)-based distributed denial of service (DDoS) attack prevention method, an apparatus, and a system, where a controller delivers a traffic statistics collection instruction to a first packet forwarding device. The traffic statistics collection instruction instructs the first packet forwarding device to perform traffic statistics collection, and carries a destination Internet Protocol (IP) address. The controller collects statistical data reported by the first packet forwarding device, obtains, according to the statistical data, a statistical value of global traffic flowing to the destination IP address, and delivers a DDoS prevention policy to a second packet forwarding device based on a determining result that the statistical value of the global traffic exceeds the preset threshold. Correspondingly, the second packet forwarding device receives the DDoS prevention policy from the controller, and performs, according to the DDoS prevention policy, prevention process on the traffic flowing to the destination IP address.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/711,725, filed on Sep. 21, 2017, which is a continuation ofInternational Patent Application No. PCT/CN2016/072781, filed on Jan.29, 2016, which claims priority to Chinese Patent Application No.201510131608.2, filed on Mar. 24, 2015. All of the aforementioned patentapplications are hereby incorporated by reference in their entireties.

TECHNICAL FIELD

The present disclosure relates to communications technologies, and inparticular, to a software defined networking (SDN)-based distributeddenial of service (DDoS) attack prevention method, an apparatus, and asystem.

BACKGROUND

FIG. 1 is a schematic diagram of a DDoS attack. Referring to FIG. 1, aprimary implementation principle of a DDoS attack is that an attackeruses one or more main control hosts as a jump host to control massiveinfected controlled hosts in order to establish an attack network toimplement a large-scale denial-of-service attack on a victim host. Theattack may usually enlarge, in a form of grade, an attack result of asingle attacker, causing severe impact on the victim host and resultingin serious network congestion. In the DDoS attack, the attack network isused to launch, on the victim host, multiple types of attacks such as anInternet Control Message Protocol (ICMP) flood attack, a synchronous(SYN) flood attack, and a User Datagram Protocol (UDP) flood attack. Asa result, the victim host consumes a large quantity of processingresources to process these burst requests and cannot normally respond toan authorized user request, causing breakdown.

In a DDoS prevention solution in other approaches, a cleaning device isgenerally deployed at a network convergence node, and DDoS attacktraffic converged at the node is cleaned using the cleaning device,thereby implementing DDoS prevention. The network convergence node maybe an interworking gateway, an egress device of a metropolitan areanetwork in China, an egress device of a data center, or the like.However, for a backbone network without an obvious network convergencenode, there is a relatively large quantity of nodes in the network. Inthis case, in other approaches, a cleaning device is generally deployedfor a specific Internet Protocol (IP) address, that is, the cleaningdevice is deployed on a traffic convergence node connected to a hosthaving the specific IP address. The specific IP address may be setaccording to a customer requirement and a customer priority. Forexample, if a customer needs to protect an IP address or an IP addresssegment of a server, a traffic convergence node connected to the serveris used as a node on which the cleaning device is deployed.

In the foregoing scenario of the backbone network without an obviousconvergence node, although a cleaning device is deployed for a specificIP address, when a DDoS attack occurs, no matter whether an IP addressof a victim host is the specific IP address, DDoS attack traffic for thevictim host needs to be diverted to the cleaning device. In this case,the traffic of the victim host whose IP address is not the specific IPaddress can be diverted to the cleaning device only after passingthrough multiple routing and forwarding nodes in the network. As aresult, network resources of these routing and forwarding nodes areoccupied, impact of the DDoS attack on the backbone network isincreased, and network security is reduced.

SUMMARY

The present disclosure provides an SDN-based DDoS attack preventionmethod, an apparatus, and a system in order to improve network security.

A first aspect of the present disclosure provides an SDN-based DDoSattack prevention method, including delivering, by a controller, atraffic statistics collection instruction to a first packet forwardingdevice, where the traffic statistics collection instruction is used toinstruct the first packet forwarding device to perform trafficstatistics collection, where the traffic statistics collectioninstruction carries a destination IP address, collecting, by thecontroller, statistical data reported by the first packet forwardingdevice according to the traffic statistics collection instruction, wherethe statistical data includes statistical information of traffic flowingto the destination IP address, obtaining, by the controller according tothe statistical data, a statistical value of global traffic flowing tothe destination IP address, where the statistical value of the globaltraffic indicates a statistical value that is used to reflect trafficflowing to the destination IP address within a range of the SDN and thatis obtained after the controller summarizes statistical data reported byat least two packet forwarding devices including the first packetforwarding device, determining, by the controller, whether thestatistical value of the global traffic exceeds a preset threshold, anddelivering a DDoS prevention policy to a second packet forwarding devicebased on a determining result that the statistical value of the globaltraffic exceeds the preset threshold.

With reference to the first aspect, in a first possible implementationof the first aspect, the traffic statistics collection instructionfurther carries a detection start time, where the detection start timeis used to notify the first packet forwarding device of a start time ofthe traffic statistics collection, the traffic statistics collection iscontinuously performed by the first packet forwarding device accordingto a detection period, and the statistical data is reported by the firstpacket forwarding device to the controller according to the detectionperiod.

With reference to the first possible implementation of the first aspect,in a second possible implementation of the first aspect, the methodfurther includes determining, by the controller, that the statisticalvalue of the global traffic does not exceed the preset threshold in atleast two successive detection periods, and delivering, by thecontroller, a prevention cancellation instruction message to the secondpacket forwarding device, where the prevention cancellation instructionmessage is used to instruct the second packet forwarding device to stopexecuting the DDoS prevention policy.

With reference to the first aspect or either of the foregoing possibleimplementations of the first aspect, in a third possible implementationof the first aspect, before the controller delivers the DDoS preventionpolicy to the second packet forwarding device, the method furtherincludes determining, by the controller according to the statisticaldata, a packet forwarding device closest to an attack source on anattack path, and setting the packet forwarding device closest to theattack source as the second packet forwarding device.

With reference to the third possible implementation of the first aspect,in a fourth possible implementation of the first aspect, the statisticalinformation of the traffic flowing to the destination IP addressincludes a volume of the traffic flowing from the first packetforwarding device to the destination IP address, and determining, by thecontroller according to the statistical data, a packet forwarding deviceclosest to an attack source on an attack path includes determining, bythe controller, a first attack path according to the volume of thetraffic flowing from the first packet forwarding device to thedestination IP address, where the first attack path is an attack path,of at least one attack path, with a maximum volume of traffic flowing tothe destination IP address, and determining, by the controller accordingto the first attack path, the packet forwarding device closest to theattack source, where the packet forwarding device closest to the attacksource is located on an SDN edge that is on the first attack path andthat is on a side of a source address of the traffic flowing to thedestination IP address.

With reference to the first aspect or any one of the foregoing possibleimplementations of the first aspect, in a fifth possible implementation,the DDoS prevention policy includes any one of a black-hole routeresponse policy, a traffic limiting response policy, a rate limitingresponse policy, a discarding response policy, a local cleaning responsepolicy, or a dynamic diversion and cleaning response policy, where theblack-hole route response policy is used to instruct the second packetforwarding device to perform, by configuring a black-hole route, packetdiscarding processing on the traffic flowing to the destination IPaddress, the traffic limiting response policy is used to instruct thesecond packet forwarding device to perform traffic limiting processingon the traffic flowing to the destination IP address, the rate limitingresponse policy is used to instruct the second packet forwarding deviceto perform rate limiting processing on the traffic flowing to thedestination IP address, the discarding response policy is used toinstruct the second packet forwarding device to perform packetdiscarding processing on the traffic flowing to the destination IPaddress, the local cleaning response policy is used to instruct thesecond packet forwarding device to locally perform cleaning processingon the traffic flowing to the destination IP address, and the dynamicdiversion and cleaning response policy is used to instruct the secondpacket forwarding device to send the traffic flowing to the destinationIP address to a cleaning device for cleaning processing.

With reference to the fifth possible implementation of the first aspect,in a sixth possible implementation of the first aspect, the statisticaldata further includes a load value of the first packet forwardingdevice, and before the controller delivers the DDoS prevention policy tothe second packet forwarding device, the method further includesdetermining, by the controller, a first diversion path according to theload value of the first packet forwarding device, where the firstdiversion path is a path with a minimum load between the second packetforwarding device and the cleaning device, and the first diversion pathincludes the second packet forwarding device and the cleaning device,and the DDoS prevention policy delivered by the controller to the secondpacket forwarding device is the dynamic diversion and cleaning responsepolicy, the dynamic diversion and cleaning response policy includesindication information of the first diversion path, and the indicationinformation of the first diversion path is used to instruct the secondpacket forwarding device to send, through the first diversion path, thetraffic flowing to the destination IP address to the cleaning device forcleaning processing.

With reference to the fifth possible implementation of the first aspect,in a seventh possible implementation of the first aspect, before thecontroller delivers the DDoS prevention policy to the second packetforwarding device, the method further includes determining, by thecontroller, a second diversion path according to an SDN topologicalrelationship, where the second diversion path is a shortest path betweenthe second packet forwarding device and the cleaning device, and the SDNtopological relationship includes a connection relationship between thepacket forwarding devices in the SDN and a connection relationshipbetween one or more packet forwarding devices and the cleaning device,and the DDoS prevention policy delivered by the controller to the secondpacket forwarding device is the dynamic diversion and cleaning responsepolicy, the dynamic diversion and cleaning response policy includesindication information of the second diversion path, and the indicationinformation of the second diversion path is used to instruct the secondpacket forwarding device to send, through the second diversion path, thetraffic flowing to the destination IP address to the cleaning device forcleaning processing.

A second aspect of the present disclosure provides an SDN-based DDoSattack prevention method, where the method is applied to an SDN system,the SDN system includes a controller and a packet forwarding device, themethod is executed by the packet forwarding device, and the methodincludes receiving a traffic statistics collection instruction sent bythe controller, where the traffic statistics collection instruction isused to instruct the packet forwarding device to perform trafficstatistics collection, and the traffic statistics collection instructioncarries a destination IP address, collecting, according to the trafficstatistics collection instruction, statistical information of trafficflowing to the destination IP address, and reporting statistical data tothe controller, where the statistical data includes the statisticalinformation of the traffic flowing to the destination IP address.

With reference to the second aspect, in a first possible implementationof the second aspect, the traffic statistics collection instructionfurther carries a detection start time, where the detection start timeis used to notify the packet forwarding device of a start time of thetraffic statistics collection, the traffic statistics collection iscontinuously performed according to a detection period, and thestatistical data is reported to the controller according to thedetection period.

With reference to the second aspect or the first possible implementationof the second aspect, in a second possible implementation of the secondaspect, after reporting statistical data to the controller, the methodfurther includes receiving a DDoS prevention policy sent by thecontroller, and performing, according to the DDoS prevention policy,prevention processing on the traffic flowing to the destination IPaddress.

With reference to the second possible implementation of the secondaspect, in a third possible implementation of the second aspect, afterreceiving a DDoS prevention policy sent by the controller, the methodfurther includes receiving a prevention cancellation instruction messagesent by the controller, where the prevention cancellation instructionmessage is used to instruct the packet forwarding device to stopexecuting the DDoS prevention policy, and stopping, according to theprevention cancellation instruction message, performing preventionprocessing on the traffic flowing to the destination IP address.

With reference to the second possible implementation of the secondaspect or the third possible implementation of the second aspect, in afourth possible implementation of the second aspect, the DDoS preventionpolicy includes any one of a black-hole route response policy, a trafficlimiting response policy, a rate limiting response policy, a discardingresponse policy, a local cleaning response policy, or a dynamicdiversion and cleaning response policy, where the black-hole routeresponse policy is used to instruct the packet forwarding device toperform, by configuring a black-hole route, packet discarding processingon the traffic flowing to the destination IP address, and performing,according to the DDoS prevention policy, prevention processing on thetraffic flowing to the destination IP address includes performing, usingthe black-hole route according to the black-hole route response policy,packet discarding processing on the traffic flowing to the destinationIP address. The traffic limiting response policy is used to instruct thepacket forwarding device to perform traffic limiting processing on thetraffic flowing to the destination IP address, and performing, accordingto the DDoS prevention policy, prevention processing on the trafficflowing to the destination IP address includes performing, according tothe traffic limiting response policy, traffic limiting processing on thetraffic flowing to the destination IP address, the rate limitingresponse policy is used to instruct the packet forwarding device toperform rate limiting processing on the traffic flowing to thedestination IP address, and performing, according to the DDoS preventionpolicy, prevention processing on the traffic flowing to the destinationIP address includes performing, according to the rate limiting responsepolicy, rate limiting processing on the traffic flowing to thedestination IP address, the discarding response policy is used toinstruct the packet forwarding device to perform packet discardingprocessing on the traffic flowing to the destination IP address, andperforming, according to the DDoS prevention policy, preventionprocessing on the traffic flowing to the destination IP address includesperforming, according to the discarding response policy, packetdiscarding processing on the traffic flowing to the destination IPaddress, the local cleaning response policy is used to instruct thepacket forwarding device to locally perform cleaning processing on thetraffic flowing to the destination IP address, and performing, accordingto the DDoS prevention policy, prevention processing on the trafficflowing to the destination IP address includes locally performing,according to the local cleaning response policy, cleaning processing onthe traffic flowing to the destination IP address, and the dynamicdiversion and cleaning response policy is used to instruct the packetforwarding device to send the traffic flowing to the destination IPaddress to a cleaning device for cleaning processing, and performing,according to the DDoS prevention policy, prevention processing on thetraffic flowing to the destination IP address includes sending,according to the dynamic diversion and cleaning response policy, thetraffic flowing to the destination IP address to the cleaning device forcleaning processing.

With reference to the fourth possible implementation of the secondaspect, in a fifth possible implementation of the second aspect, thestatistical data further includes a load value of the first packetforwarding device, the dynamic diversion and cleaning response policyincludes indication information of a first diversion path, theindication information of the first diversion path is used to instructthe packet forwarding device to send, through the first diversion path,the traffic flowing to the destination IP address to the cleaning devicefor cleaning processing, the first diversion path is a path with aminimum load between the packet forwarding device and the cleaningdevice, and the first diversion path includes the second packetforwarding device and the cleaning device, and sending, according to thedynamic diversion and cleaning response policy, the traffic flowing tothe destination IP address to the cleaning device for cleaningprocessing includes sending, through the first diversion path accordingto the dynamic diversion and cleaning response policy, the trafficflowing to the destination IP address to the cleaning device forcleaning processing.

With reference to the fourth possible implementation of the secondaspect, in a sixth possible implementation of the second aspect, thedynamic diversion and cleaning response policy includes indicationinformation of a second diversion path, the indication information ofthe second diversion path is used to instruct the packet forwardingdevice to send, through the second diversion path, the traffic flowingto the destination IP address to the cleaning device for cleaningprocessing, and the second diversion path is a shortest path between thepacket forwarding device and the cleaning device, and sending, accordingto the dynamic diversion and cleaning response policy, the trafficflowing to the destination IP address to the cleaning device forcleaning processing includes sending, through the second diversion pathaccording to the dynamic diversion and cleaning response policy, thetraffic flowing to the destination IP address to the cleaning device forcleaning processing.

A third aspect of the present disclosure provides a controller,including a sending module configured to deliver a traffic statisticscollection instruction to a first packet forwarding device, where thetraffic statistics collection instruction is used to instruct the firstpacket forwarding device to perform traffic statistics collection, andthe traffic statistics collection instruction carries a destination IPaddress, a receiving module configured to collect statistical datareported by the first packet forwarding device according to the trafficstatistics collection instruction sent by the sending module, where thestatistical data includes statistical information of traffic flowing tothe destination IP address, and a processing module configured toobtain, according to the statistical data received by the receivingmodule, a statistical value of global traffic flowing to the destinationIP address, where the statistical value of the global traffic indicatesa statistical value that is used to reflect traffic flowing to thedestination IP address within a range of the SDN and that is obtainedafter the controller summarizes statistical data reported by at leasttwo packet forwarding devices including the first packet forwardingdevice, and determine whether the statistical value of the globaltraffic exceeds a preset threshold, where the sending module is furtherconfigured to deliver a DDoS prevention policy to a second packetforwarding device based on a determining result, determined by theprocessing module, that the statistical value of the global trafficexceeds the preset threshold.

With reference to the third aspect, in a first possible implementationof the third aspect, the traffic statistics collection instructionfurther carries a detection start time, where the detection start timeis used to notify the first packet forwarding device of a start time ofthe traffic statistics collection, the traffic statistics collection iscontinuously performed by the first packet forwarding device accordingto a detection period, and the statistical data is reported by the firstpacket forwarding device to the controller according to the detectionperiod, the processing module is further configured to determine thatthe statistical value of the global traffic does not exceed the presetthreshold in at least two successive detection periods, and the sendingmodule is further configured to deliver a prevention cancellationinstruction message to the second packet forwarding device based on aresult, determined by the processing module, that the statistical valueof the global traffic does not exceed the preset threshold in the atleast two successive detection periods, where the preventioncancellation instruction message is used to instruct the second packetforwarding device to stop executing the DDoS prevention policy.

With reference to the third aspect or the first possible implementationof the third aspect, in a second possible implementation of the thirdaspect, before the sending module delivers the DDoS prevention policy tothe second packet forwarding device, the processing module is furtherconfigured to determine, according to the statistical data received bythe receiving module, a packet forwarding device closest to an attacksource on an attack path, and set the packet forwarding device closestto the attack source as the second packet forwarding device.

With reference to the second possible implementation of the thirdaspect, in a third possible implementation of the third aspect, thestatistical information of the traffic flowing to the destination IPaddress includes a volume of the traffic flowing from the first packetforwarding device to the destination IP address, and the processingmodule is further configured to determine a first attack path accordingto the volume of the traffic that is received by the receiving moduleand that is flowing from the first packet forwarding device to thedestination IP address, where the first attack path is an attack path,of at least one attack path, with a maximum volume of traffic flowing tothe destination IP address, and determine, according to the first attackpath, the packet forwarding device closest to the attack source, wherethe packet forwarding device closest to the attack source is located onan SDN edge that is on the first attack path and that is on a side of asource address of the traffic flowing to the destination IP address.

With reference to the third aspect or any one of the foregoing possibleimplementations of the third aspect, in a fourth possible implementationof the third aspect, the DDoS prevention policy includes any one of ablack-hole route response policy, a traffic limiting response policy, arate limiting response policy, a discarding response policy, a localcleaning response policy, or a dynamic diversion and cleaning responsepolicy, where the black-hole route response policy is used to instructthe second packet forwarding device to perform, by configuring ablack-hole route, packet discarding processing on the traffic flowing tothe destination IP address, the traffic limiting response policy is usedto instruct the second packet forwarding device to perform trafficlimiting processing on the traffic flowing to the destination IPaddress, the rate limiting response policy is used to instruct thesecond packet forwarding device to perform rate limiting processing onthe traffic flowing to the destination IP address, the discardingresponse policy is used to instruct the second packet forwarding deviceto perform packet discarding processing on the traffic flowing to thedestination IP address, the local cleaning response policy is used toinstruct the second packet forwarding device to locally perform cleaningprocessing on the traffic flowing to the destination IP address, and thedynamic diversion and cleaning response policy is used to instruct thesecond packet forwarding device to send the traffic flowing to thedestination IP address to a cleaning device for cleaning processing.

With reference to the fourth possible implementation of the thirdaspect, in a fifth possible implementation of the third aspect, thestatistical data further includes a load value of the first packetforwarding device, before the sending module delivers the DDoSprevention policy to the second packet forwarding device, the processingmodule is further configured to determine a first diversion pathaccording to the load value of the first packet forwarding device, wherethe first diversion path is a path with a minimum load between thesecond packet forwarding device and the cleaning device, and the firstdiversion path includes the second packet forwarding device and thecleaning device, and the DDoS prevention policy delivered by the sendingmodule to the second packet forwarding device according to the firstdiversion path determined by the processing module is the dynamicdiversion and cleaning response policy, the dynamic diversion andcleaning response policy includes indication information of the firstdiversion path, and the indication information of the first diversionpath is used to instruct the second packet forwarding device to send,through the first diversion path, the traffic flowing to the destinationIP address to the cleaning device for cleaning processing.

With reference to the fourth possible implementation of the thirdaspect, in a sixth possible implementation of the third aspect, beforethe sending module delivers the DDoS prevention policy to the secondpacket forwarding device, the processing module is further configured todetermine a second diversion path according to an SDN topologicalrelationship, where the second diversion path is a shortest path betweenthe second packet forwarding device and the cleaning device, and the SDNtopological relationship includes a connection relationship between thepacket forwarding devices in the SDN and a connection relationshipbetween one or more packet forwarding devices and the cleaning device,and the DDoS prevention policy delivered by the sending module to thesecond packet forwarding device according to the second diversion pathdetermined by the processing module is the dynamic diversion andcleaning response policy, the dynamic diversion and cleaning responsepolicy includes indication information of the second diversion path, andthe indication information of the second diversion path is used toinstruct the second packet forwarding device to send, through the seconddiversion path, the traffic flowing to the destination IP address to thecleaning device for cleaning processing.

A fourth aspect of the present disclosure provides a packet forwardingdevice, where the packet forwarding device is applied to an SDN system,the SDN system includes a controller and the packet forwarding device,and the packet forwarding device includes a receiving module configuredto receive a traffic statistics collection instruction sent by thecontroller, where the traffic statistics collection instruction is usedto instruct a processing module to perform traffic statisticscollection, and the traffic statistics collection instruction carries adestination IP address, the processing module configured to collect,according to the traffic statistics collection instruction received bythe receiving module, statistical information of traffic flowing to thedestination IP address, and a sending module configured to reportstatistical data to the controller according to the statisticalinformation, collected by the processing module, of the traffic flowingto the destination IP address, where the statistical data includes thestatistical information of the traffic flowing to the destination IPaddress.

With reference to the fourth aspect, in a first possible implementationof the fourth aspect, the traffic statistics collection instructionfurther carries a detection start time, where the detection start timeis used to notify the processing module of a start time of the trafficstatistics collection, the traffic statistics collection is continuouslyperformed according to a detection period, and the statistical data isreported to the controller according to the detection period.

With reference to the fourth aspect or the first possible implementationof the fourth aspect, in a second possible implementation of the fourthaspect, after the sending module reports the statistical data to thecontroller, the receiving module is further configured to receive a DDoSprevention policy sent by the controller, and the processing module isfurther configured to perform, according to the DDoS prevention policyreceived by the receiving module, prevention processing on the trafficflowing to the destination IP address.

With reference to the second possible implementation of the fourthaspect, in a third possible implementation of the fourth aspect, afterreceiving the DDoS prevention policy sent by the controller, thereceiving module is further configured to receive a preventioncancellation instruction message sent by the controller, where theprevention cancellation instruction message is used to instruct theprocessing module to stop executing the DDoS prevention policy, and theprocessing module is further configured to stop, according to theprevention cancellation instruction message received by the receivingmodule, performing prevention processing on the traffic flowing to thedestination IP address.

With reference to the first possible implementation of the fourth aspector the second possible implementation of the fourth aspect, in a fourthpossible implementation of the fourth aspect, the DDoS prevention policyincludes any one of a black-hole route response policy, a trafficlimiting response policy, a rate limiting response policy, a discardingresponse policy, a local cleaning response policy, or a dynamicdiversion and cleaning response policy, where the black-hole routeresponse policy is used to instruct the processing module to perform, byconfiguring a black-hole route, packet discarding processing on thetraffic flowing to the destination IP address, and the processing moduleis further configured to perform, using the black-hole route accordingto the black-hole route response policy received by the receivingmodule, packet discarding processing on the traffic flowing to thedestination IP address, the traffic limiting response policy is used toinstruct the processing module to perform traffic limiting processing onthe traffic flowing to the destination IP address, and the processingmodule is further configured to perform, according to the trafficlimiting response policy received by the receiving module, trafficlimiting processing on the traffic flowing to the destination IPaddress, the rate limiting response policy is used to instruct theprocessing module to perform rate limiting processing on the trafficflowing to the destination IP address, and the processing module isfurther configured to perform, according to the rate limiting responsepolicy received by the receiving module, rate limiting processing on thetraffic flowing to the destination IP address, the discarding responsepolicy is used to instruct the processing module to perform packetdiscarding processing on the traffic flowing to the destination IPaddress, and the processing module is further configured to perform,according to the discarding response policy received by the receivingmodule, packet discarding processing on the traffic flowing to thedestination IP address, the local cleaning response policy is used toinstruct the processing module to locally perform cleaning processing onthe traffic flowing to the destination IP address, and the processingmodule is further configured to locally perform, according to the localcleaning response policy received by the receiving module, cleaningprocessing on the traffic flowing to the destination IP address, and thedynamic diversion and cleaning response policy is used to instruct theprocessing module to send the traffic flowing to the destination IPaddress to a cleaning device for cleaning processing, and the processingmodule is further configured to instruct, according to the dynamicdiversion and cleaning response policy received by the receiving module,the sending module to send the traffic flowing to the destination IPaddress to the cleaning device for cleaning processing.

With reference to the fourth possible implementation of the fourthaspect, in a fifth possible implementation of the fourth aspect, thestatistical data further includes a load value of the first packetforwarding device, and the dynamic diversion and cleaning responsepolicy includes indication information of the first diversion path, theindication information of the first diversion path is used to instructto send, through a first diversion path, the traffic flowing to thedestination IP address to the cleaning device for cleaning processing,the first diversion path is a path with a minimum load between thepacket forwarding device and the cleaning device, and the firstdiversion path includes the second packet forwarding device and thecleaning device, and the processing module is further configured toinstruct, according to the dynamic diversion and cleaning responsepolicy received by the receiving module, the sending module to send,through the first diversion path, the traffic flowing to the destinationIP address to the cleaning device for cleaning processing.

With reference to the fourth possible implementation of the fourthaspect, in a sixth possible implementation of the fourth aspect, thedynamic diversion and cleaning response policy includes indicationinformation of the second diversion path, where the indicationinformation of the second diversion path is used to instruct to send,through a second diversion path, the traffic flowing to the destinationIP address to the cleaning device for cleaning processing, and thesecond diversion path is a shortest path between the packet forwardingdevice and the cleaning device, and the processing module is furtherconfigured to instruct, according to the dynamic diversion and cleaningresponse policy received by the receiving module, the sending module tosend, through the second diversion path, the traffic flowing to thedestination IP address to the cleaning device for cleaning processing.

A fifth aspect of the present disclosure provides an SDN system,including a controller, a first packet forwarding device, and a secondpacket forwarding device, where the controller is configured to delivera traffic statistics collection instruction to the first packetforwarding device, where the traffic statistics collection instructionis used to instruct the first packet forwarding device to performtraffic statistics collection, and the traffic statistics collectioninstruction carries a destination IP address, collect statistical datareported by the first packet forwarding device according to the trafficstatistics collection instruction, where the statistical data includesstatistical information of traffic flowing to the destination IPaddress, obtain, according to the statistical data, a statistical valueof global traffic flowing to the destination IP address, where thestatistical value of the global traffic indicates a statistical valuethat is used to reflect traffic flowing to the destination IP addresswithin a range of the SDN and that is obtained after the controllersummarizes statistical data reported by at least two packet forwardingdevices including the first packet forwarding device, and determinewhether the statistical value of the global traffic exceeds a presetthreshold, and deliver a DDoS prevention policy to the second packetforwarding device based on a determining result that the statisticalvalue of the global traffic exceeds the preset threshold. The firstpacket forwarding device is configured to receive the traffic statisticscollection instruction sent by the controller, collect, according to thetraffic statistics collection instruction, the statistical informationof the traffic flowing to the destination IP address, and report thestatistical data to the controller, and the second packet forwardingdevice is configured to receive the DDoS prevention policy sent by thecontroller, and perform, according to the DDoS prevention policy,prevention processing on the traffic flowing to the destination IPaddress.

With reference to the fifth aspect, in a first possible implementationof the fifth aspect, the traffic statistics collection instructionfurther carries a detection start time, where the detection start timeis used to notify the first packet forwarding device of a start time ofthe traffic statistics collection, the traffic statistics collection iscontinuously performed by the first packet forwarding device accordingto a detection period, and the statistical data is reported by the firstpacket forwarding device to the controller according to the detectionperiod.

With reference to the first possible implementation of the fifth aspect,in a second possible implementation of the fifth aspect, the controlleris further configured to determine that the statistical value of theglobal traffic does not exceed the preset threshold in at least twosuccessive detection periods, and deliver a prevention cancellationinstruction message to the second packet forwarding device, where theprevention cancellation instruction message is used to instruct thesecond packet forwarding device to stop executing the DDoS preventionpolicy, and the second packet forwarding device is further configured toreceive the prevention cancellation instruction message, and stopexecuting the DDoS prevention policy.

With reference to the fifth aspect or either of the foregoing possibleimplementations of the fifth aspect, in a third possible implementationof the fifth aspect, before delivering the DDoS prevention policy to thesecond packet forwarding device, the controller is further configured todetermine, according to the statistical data, a packet forwarding deviceclosest to an attack source on an attack path, and use the packetforwarding device closest to the attack source as the second packetforwarding device.

With reference to the third possible implementation of the fifth aspect,in a fourth possible implementation of the fifth aspect, the statisticalinformation of the traffic flowing to the destination IP addressincludes a volume of the traffic flowing from the first packetforwarding device to the destination IP address, and the controller isfurther configured to determine a first attack path according to thevolume of the traffic flowing from the first packet forwarding device tothe destination IP address, where the first attack path is an attackpath, of at least one attack path, with a maximum volume of trafficflowing to the destination IP address, and determine, according to thefirst attack path, the packet forwarding device closest to the attacksource, where the packet forwarding device closest to the attack sourceis located on an SDN edge that is on the first attack path and that ison a side of a source address of the traffic flowing to the destinationIP address.

With reference to the fifth aspect or any one of the foregoing possibleimplementations of the fifth aspect, in a fifth possible implementationof the fifth aspect, the DDoS prevention policy includes any one of ablack-hole route response policy, a traffic limiting response policy, arate limiting response policy, a discarding response policy, a localcleaning response policy, or a dynamic diversion and cleaning responsepolicy, where the black-hole route response policy is used to instructthe second packet forwarding device to perform, by configuring ablack-hole route, packet discarding processing on the traffic flowing tothe destination IP address, and the second packet forwarding device isfurther configured to perform, using the black-hole route according tothe black-hole route response policy, packet discarding processing onthe traffic flowing to the destination IP address, the traffic limitingresponse policy is used to instruct the second packet forwarding deviceto perform traffic limiting processing on the traffic flowing to thedestination IP address, and the second packet forwarding device isfurther configured to perform, according to the traffic limitingresponse policy, traffic limiting processing on the traffic flowing tothe destination IP address, the rate limiting response policy is used toinstruct the second packet forwarding device to perform rate limitingprocessing on the traffic flowing to the destination IP address, and thesecond packet forwarding device is further configured to perform,according to the rate limiting response policy, rate limiting processingon the traffic flowing to the destination IP address, the discardingresponse policy is used to instruct the second packet forwarding deviceto perform packet discarding processing on the traffic flowing to thedestination IP address, and the second packet forwarding device isfurther configured to perform, according to the discarding responsepolicy, packet discarding processing on the traffic flowing to thedestination IP address, the local cleaning response policy is used toinstruct the second packet forwarding device to locally perform cleaningprocessing on the traffic flowing to the destination IP address, and thesecond packet forwarding device is further configured to perform,according to the local cleaning response policy, cleaning processing onthe traffic flowing to the destination IP address, and the dynamicdiversion and cleaning response policy is used to instruct the secondpacket forwarding device to send the traffic flowing to the destinationIP address to a cleaning device for cleaning processing, and the secondpacket forwarding device is further configured to send, according to thedynamic diversion and cleaning response policy, the traffic flowing tothe destination IP address to the cleaning device for cleaningprocessing.

With reference to the fifth possible implementation of the fifth aspect,in a sixth possible implementation of the fifth aspect, the statisticaldata further includes a load value of the first packet forwardingdevice, and before delivering the DDoS prevention policy to the secondpacket forwarding device, the controller is further configured todetermine a first diversion path according to the load value of thefirst packet forwarding device, where the first diversion path is a pathwith a minimum load between the second packet forwarding device and thecleaning device, and the first diversion path includes the second packetforwarding device and the cleaning device, the DDoS prevention policydelivered to the second packet forwarding device is the dynamicdiversion and cleaning response policy, the dynamic diversion andcleaning response policy includes indication information of the firstdiversion path, and the indication information of the first diversionpath is used to instruct the second packet forwarding device to send,through the first diversion path, the traffic flowing to the destinationIP address to the cleaning device for cleaning processing, and thesecond packet forwarding device is further configured to send, throughthe first diversion path, the traffic flowing to the destination IPaddress to the cleaning device for cleaning processing.

With reference to the fifth possible implementation of the fifth aspect,in a seventh possible implementation of the fifth aspect, beforedelivering the DDoS prevention policy to the second packet forwardingdevice, the controller is further configured to determine a seconddiversion path according to an SDN topological relationship, where thesecond diversion path is a shortest path between the second packetforwarding device and the cleaning device, and the SDN topologicalrelationship includes a connection relationship between the packetforwarding devices in the SDN and a connection relationship between oneor more packet forwarding devices and the cleaning device, the DDoSprevention policy delivered to the second packet forwarding device isthe dynamic diversion and cleaning response policy, the dynamicdiversion and cleaning response policy includes indication informationof the second diversion path, and the indication information of thesecond diversion path is used to instruct the second packet forwardingdevice to send, through the second diversion path, the traffic flowingto the destination IP address to the cleaning device for cleaningprocessing, and the second packet forwarding device is furtherconfigured to send, through the second diversion path, the trafficflowing to the destination IP address to the cleaning device forcleaning processing.

A sixth aspect of the present disclosure provides a controller,including a processor, a memory, a transceiver, and a bus, where thetransceiver includes a southbound interface unit. The southboundinterface unit is configured to deliver a traffic statistics collectioninstruction to a first packet forwarding device, where the trafficstatistics collection instruction is used to instruct the first packetforwarding device to perform traffic statistics collection, and thetraffic statistics collection instruction carries a destination IPaddress, and collect statistical data reported by the first packetforwarding device according to the traffic statistics collectioninstruction, where the statistical data includes statistical informationof traffic flowing to the destination IP address. The processor isconfigured to obtain, according to the statistical data received by thereceiving module, a statistical value of global traffic flowing to thedestination IP address, where the statistical value of the globaltraffic indicates a statistical value that is used to reflect trafficflowing to the destination IP address within a range of the SDN and thatis obtained after the controller summarizes statistical data reported byat least two packet forwarding devices including the first packetforwarding device, and determine whether the statistical value of theglobal traffic exceeds a preset threshold. The southbound interface unitis further configured to deliver a DDoS prevention policy to a secondpacket forwarding device based on a determining result, determined bythe processor, that the statistical value of the global traffic exceedsthe preset threshold, and the memory is configured to store thestatistical data and the DDoS prevention policy.

With reference to the sixth aspect, in a first possible implementationof the sixth aspect, the traffic statistics collection instructionfurther carries a detection start time, where the detection start timeis used to notify the first packet forwarding device of a start time ofthe traffic statistics collection, the traffic statistics collection iscontinuously performed by the first packet forwarding device accordingto a detection period, and the statistical data is reported by the firstpacket forwarding device to the controller according to the detectionperiod, the processor is further configured to determine that thestatistical value of the global traffic does not exceed the presetthreshold in at least two detection periods, and the southboundinterface unit is further configured to deliver a preventioncancellation instruction message to the second packet forwarding devicebased on a result, determined by the processor, that the statisticalvalue of the global traffic does not exceed the preset threshold in theat least two successive detection periods, where the preventioncancellation instruction message is used to instruct the packetforwarding device to stop executing the DDoS prevention policy.

With reference to the sixth aspect or the first possible implementationof the sixth aspect, in a second possible implementation of the sixthaspect, before the southbound interface unit delivers the DDoSprevention policy to the second packet forwarding device, the processoris further configured to determine, according to the statistical datareceived by the southbound interface unit, a packet forwarding deviceclosest to an attack source on an attack path, and set the packetforwarding device closest to the attack source as the second packetforwarding device, and the southbound interface unit is furtherconfigured to deliver the DDoS prevention policy to the second packetforwarding device.

With reference to the second possible implementation of the sixthaspect, in a third possible implementation of the sixth aspect, thestatistical information of the traffic flowing to the destination IPaddress includes a volume of the traffic flowing from the first packetforwarding device to the destination IP address, and the processor isfurther configured to determine a first attack path according to thevolume, received by the southbound interface unit, of the trafficflowing from the first packet forwarding device to the destination IPaddress, where the first attack path is an attack path, of at least oneattack path, with a maximum volume of traffic flowing to the destinationIP address, and determine, according to the first attack path, thepacket forwarding device closest to the attack source, where the packetforwarding device closest to the attack source is located on an SDN edgethat is on the first attack path and that is on a side of a sourceaddress of the traffic flowing to the destination IP address.

With reference to the sixth aspect or any one of the foregoing possibleimplementations of the sixth aspect, in a fourth possible implementationof the sixth aspect, the DDoS prevention policy includes any one of ablack-hole route response policy, a traffic limiting response policy, arate limiting response policy, a discarding response policy, a localcleaning response policy, or a dynamic diversion and cleaning responsepolicy, where the black-hole route response policy is used to instructthe second packet forwarding device to perform, by configuring ablack-hole route, packet discarding processing on the traffic flowing tothe destination IP address. the traffic limiting response policy is usedto instruct the second packet forwarding device to perform trafficlimiting processing on the traffic flowing to the destination IPaddress, the rate limiting response policy is used to instruct thesecond packet forwarding device to perform rate limiting processing onthe traffic flowing to the destination IP address, the discardingresponse policy is used to instruct the second packet forwarding deviceto perform packet discarding processing on the traffic flowing to thedestination IP address, the local cleaning response policy is used toinstruct the second packet forwarding device to locally perform cleaningprocessing on the traffic flowing to the destination IP address, and thedynamic diversion and cleaning response policy is used to instruct thesecond packet forwarding device to send the traffic flowing to thedestination IP address to a cleaning device for cleaning processing.

With reference to the fourth possible implementation of the sixthaspect, in a fifth possible implementation of the sixth aspect, thestatistical data further includes a load value of the first packetforwarding device, and before the southbound interface delivers the DDoSprevention policy to the second packet forwarding device, the processoris further configured to determine a first diversion path according tothe load value of the first packet forwarding device, where the firstdiversion path is a path with a minimum load between the second packetforwarding device and the cleaning device, and the first diversion pathincludes the second packet forwarding device and the cleaning device,and the DDoS prevention policy delivered by the southbound interfaceunit to the second packet forwarding device according to the firstdiversion path determined by the processor is the dynamic diversion andcleaning response policy, the dynamic diversion and cleaning responsepolicy includes indication information of the first diversion path, andthe indication information of the first diversion path is used toinstruct the second packet forwarding device to send, through the firstdiversion path, the traffic flowing to the destination IP address to thecleaning device for cleaning processing.

With reference to the fourth possible implementation of the sixthaspect, in a sixth possible implementation of the sixth aspect, beforethe southbound interface unit delivers the DDoS prevention policy to thesecond packet forwarding device, the processor is further configured todetermine a second diversion path according to an SDN topologicalrelationship, where the second diversion path is a shortest path betweenthe second packet forwarding device and the cleaning device, and the SDNtopological relationship includes a connection relationship between thepacket forwarding devices in the SDN and a connection relationshipbetween one or more packet forwarding devices and the cleaning device,and the DDoS prevention policy delivered by the southbound interfaceunit to the second packet forwarding device according to the seconddiversion path determined by the processor is the dynamic diversion andcleaning response policy, the dynamic diversion and cleaning responsepolicy includes indication information of the second diversion path, andthe indication information of the second diversion path is used toinstruct the second packet forwarding device to send, through the seconddiversion path, the traffic flowing to the destination IP address to thecleaning device for cleaning processing.

A seventh aspect of the present disclosure provides a packet forwardingdevice, where the packet forwarding device is applied to an SDN system,the SDN system includes a controller and the packet forwarding device,and the packet forwarding device includes a processor, a memory, atransceiver, and a bus, where the transceiver includes a northboundinterface unit. The northbound interface unit is configured to receive atraffic statistics collection instruction sent by the controller, wherethe traffic statistics collection instruction is used to instruct theprocessor to perform traffic statistics collection, and the trafficstatistics collection instruction carries a destination IP address. Theprocessor is configured to collect, according to the traffic statisticscollection instruction received by the northbound interface unit,statistical information of traffic flowing to the destination IPaddress. The northbound interface unit is further configured to reportstatistical data to the controller according to the statisticalinformation, collected by the processor, of the traffic flowing to thedestination IP address, where the statistical data includes thestatistical information of the traffic flowing to the destination IPaddress, and the memory is configured to store the traffic statisticscollection instruction and the statistical information of the trafficflowing to the destination IP address.

With reference to the seventh aspect, in a first possible implementationof the seventh aspect, the traffic statistics collection instructionfurther carries a detection start time, where the detection start timeis used to notify the processor of a start time of the trafficstatistics collection, the traffic statistics collection is continuouslyperformed according to a detection period, and the statistical data isreported to the controller according to the detection period.

With reference to the seventh aspect or the first possibleimplementation of the seventh aspect, in a second possibleimplementation, after reporting the statistical data to the controller,the northbound interface unit is further configured to receive a DDoSprevention policy sent by the controller, and the processor is furtherconfigured to perform, according to the DDoS prevention policy receivedby the northbound interface unit, prevention processing on the trafficflowing to the destination IP address.

With reference to the second possible implementation of the seventhaspect, in a third possible implementation of the seventh aspect, afterreceiving the DDoS prevention policy sent by the controller, thenorthbound interface unit is further configured to receive a preventioncancellation instruction message sent by the controller, where theprevention cancellation instruction message is used to instruct theprocessor to stop executing the DDoS prevention policy, and theprocessor is further configured to stop, according to the preventioncancellation instruction message received by the northbound interfaceunit, performing prevention processing on the traffic flowing to thedestination IP address.

With reference to the first possible implementation of the seventhaspect or the second possible implementation of the seventh aspect, in afourth possible implementation of the seventh aspect, the DDoSprevention policy includes any one of a black-hole route responsepolicy, a traffic limiting response policy, a rate limiting responsepolicy, a discarding response policy, a local cleaning response policy,or a dynamic diversion and cleaning response policy, where theblack-hole route response policy is used to instruct the processor toperform, by configuring a black-hole route, packet discarding processingon the traffic flowing to the destination IP address, and the processoris further configured to perform, using the black-hole route accordingto the black-hole route response policy received by the northboundinterface unit, packet discarding processing on the traffic flowing tothe destination IP address, the traffic limiting response policy is usedto instruct the processor to perform traffic limiting processing on thetraffic flowing to the destination IP address, and the processor isfurther configured to perform, according to the traffic limitingresponse policy received by the northbound interface unit, trafficlimiting processing on the traffic flowing to the destination IPaddress, the rate limiting response policy is used to instruct theprocessor to perform rate limiting processing on the traffic flowing tothe destination IP address, and the processor is further configured toperform, according to the rate limiting response policy received by thenorthbound interface unit, rate limiting processing on the trafficflowing to the destination IP address, the discarding response policy isused to instruct the processor to perform packet discarding processingon the traffic flowing to the destination IP address, and the processoris further configured to perform, according to the discarding responsepolicy received by the northbound interface unit, packet discardingprocessing on the traffic flowing to the destination IP address, thelocal cleaning response policy is used to instruct the processor tolocally perform cleaning processing on the traffic flowing to thedestination IP address, and the processor is further configured tolocally perform, according to the local cleaning response policyreceived by the northbound interface unit, cleaning processing on thetraffic flowing to the destination IP address, and the dynamic diversionand cleaning response policy is used to instruct the processor to sendthe traffic flowing to the destination IP address to a cleaning devicefor cleaning processing, and the processor is further configured toinstruct, according to the dynamic diversion and cleaning responsepolicy received by the northbound interface unit, the northboundinterface unit to send the traffic flowing to the destination IP addressto the cleaning device for cleaning processing.

With reference to the fourth possible implementation of the seventhaspect, in a fifth possible implementation of the seventh aspect, thestatistical data further includes a load value of the first packetforwarding device, the dynamic diversion and cleaning response policyincludes indication information of the first diversion path, theindication information of the first diversion path is used to instructto send, through a first diversion path, the traffic flowing to thedestination IP address to the cleaning device for cleaning processing,the first diversion path is a path with a minimum load between thepacket forwarding device and the cleaning device, and the firstdiversion path includes the second packet forwarding device and thecleaning device, and the processor is further configured to instruct,according to the dynamic diversion and cleaning response policy receivedby the northbound interface unit, the northbound interface unit to send,through the first diversion path, the traffic flowing to the destinationIP address to the cleaning device for cleaning processing.

With reference to the fourth possible implementation of the seventhaspect, in a sixth possible implementation of the seventh aspect, thedynamic diversion and cleaning response policy includes indicationinformation of the second diversion path, where the indicationinformation of the second diversion path is used to instruct to send,through a second diversion path, the traffic flowing to the destinationIP address to the cleaning device for cleaning processing, and thesecond diversion path is a shortest path between the packet forwardingdevice and the cleaning device, and the processor is further configuredto instruct, according to the dynamic diversion and cleaning responsepolicy received by the northbound interface unit, the northboundinterface unit to send, through the second diversion path, the trafficflowing to the destination IP address to the cleaning device forcleaning processing.

According to the SDN-based DDoS attack prevention method, the apparatus,and the system that are provided in embodiments of the presentdisclosure. A controller delivers a traffic statistics collectioninstruction to a first packet forwarding device. The traffic statisticscollection instruction is used to instruct the first packet forwardingdevice to perform traffic statistics collection, and the trafficstatistics collection instruction carries a destination IP address. Thecontroller collects statistical data reported by the first packetforwarding device according to the traffic statistics collectioninstruction. The statistical data includes statistical information oftraffic flowing to the destination IP address. The controller obtains,according to the statistical data, a statistical value of global trafficflowing to the destination IP address, determines whether thestatistical value of the global traffic exceeds a preset threshold, anddelivers a DDoS prevention policy to a second packet forwarding devicebased on a determining result that the statistical value of the globaltraffic exceeds the preset threshold. Correspondingly, the first packetforwarding device receives the traffic statistics collection instructionsent by the controller, collects the statistical information of thetraffic flowing to the destination IP address according to the trafficstatistics collection instruction, and finally reports the statisticaldata to the controller. Correspondingly, the second packet forwardingdevice receives the DDoS prevention policy sent by the controller, andperforms, according to the DDoS prevention policy, prevention processingon the traffic flowing to the destination IP address. This reducesimpact of a DDoS attack on a network and improves network security.

BRIEF DESCRIPTION OF DRAWINGS

To describe the technical solutions in the embodiments of the presentdisclosure more clearly, the following briefly describes theaccompanying drawings required for describing the embodiments. Theaccompanying drawings in the following description show some embodimentsof the present disclosure, and persons of ordinary skill in the art maystill derive other drawings from these accompanying drawings withoutcreative efforts.

FIG. 1 is a schematic diagram of a DDoS attack;

FIG. 2 is a schematic deployment diagram of an SDN-based DDoS attackprevention system according to an embodiment of the present disclosure;

FIG. 3 is a schematic deployment diagram of an SDN system according toan embodiment of the present disclosure;

FIG. 4 is a schematic structural diagram of a controller according to anembodiment of the present disclosure;

FIG. 5 is a schematic structural diagram of a packet forwarding deviceaccording to an embodiment of the present disclosure;

FIG. 6 is a schematic structural diagram of an independent schedulingdevice according to an embodiment of the present disclosure;

FIG. 7 is a schematic structural diagram of a controller according to anembodiment of the present disclosure;

FIG. 8 is a schematic structural diagram of another packet forwardingdevice according to an embodiment of the present disclosure;

FIG. 9 is a schematic flowchart of an SDN-based DDoS attack preventionmethod according to an embodiment of the present disclosure;

FIG. 10 is a schematic flowchart of another SDN-based DDoS attackprevention method according to an embodiment of the present disclosure;

FIG. 11 is a schematic flowchart of another SDN-based DDoS attackprevention method according to an embodiment of the present disclosure;

FIG. 12 is a schematic flowchart of another SDN-based DDoS attackprevention method according to an embodiment of the present disclosure;

FIG. 13 is a schematic diagram of determining an attack path and aclosest attack source;

FIG. 14 is a schematic flowchart of another SDN-based DDoS attackprevention method according to an embodiment of the present disclosure;

FIG. 15 is a schematic flowchart of another SDN-based DDoS attackprevention method according to an embodiment of the present disclosure;

FIG. 16 is a schematic flowchart of another SDN-based DDoS attackprevention method according to an embodiment of the present disclosure;

FIG. 17 is a schematic flowchart of another SDN-based DDoS attackprevention method according to an embodiment of the present disclosure;

FIG. 18 is a schematic flowchart of another SDN-based DDoS attackprevention method according to an embodiment of the present disclosure;

FIG. 19 is a schematic flowchart of local cleaning processing;

FIG. 20 is a schematic diagram of an interaction procedure of anSDN-based DDoS attack prevention method according to an embodiment ofthe present disclosure; and

FIG. 21 is a schematic diagram of interaction in another SDN-based DDoSattack prevention method according to an embodiment of the presentdisclosure.

DESCRIPTION OF EMBODIMENTS

To make the objectives, technical solutions, and advantages of theembodiments of the present disclosure clearer, the following clearlydescribes the technical solutions in the embodiments of the presentdisclosure with reference to the accompanying drawings in theembodiments of the present disclosure. The described embodiments aresome but not all of the embodiments of the present disclosure. All otherembodiments obtained by persons of ordinary skill in the art based onthe embodiments of the present disclosure without creative efforts shallfall within the protection scope of the present disclosure.

The present disclosure provides a technical solution of SDN-based DDoSattack prevention. A controller in an SDN instructs a packet forwardingdevice to perform traffic statistics collection based on a destinationIP address, and the controller collects statistical data of the packetforwarding device, and determines whether a network attack occurs. If anattack occurs, this solution provides multiple possible DDoS preventionmanners. For example, the SDN supports centralized management on networktopologies and statuses, and the controller has a capability of sensinga global topology. Therefore, the controller can know which packetforwarding devices are used to connect to another network, that is, knowwhich packet forwarding devices are located on an SDN edge in order toinstruct a packet forwarding device that is close to an attack sourceand that is located on the SDN edge to perform traffic limiting, ordiscarding, or blocking on attack traffic. Alternatively, the controllerinstructs to divert suspected attack traffic to a dedicated cleaningdevice for cleaning the suspected attack traffic, thereby reducingimpact of the attack traffic on the network.

FIG. 2 is a schematic deployment diagram of an SDN-based DDoS attackprevention system according to an embodiment of the present disclosure.Referring to FIG. 2, the system includes at least one packet forwardingdevice, a controller, and a cleaning device.

The controller communicates with the packet forwarding devices and thecleaning device using a southbound interface. The southbound interfacemay use the OPENFLOW protocol, the Forwarding and Control ElementSeparation (ForCES) protocol, the Path Computation Element-CommunicationProtocol (PCE-P) protocol, or the like.

Optionally, when there is only one controller in the SDN, the controllermay have a controller scheduling function. The controller schedulingfunction is used to perform management, control, and scheduling trafficon packet forwarding devices in the entire SDN, and includes functionssuch as link discovery, topology management, policy formulation, andentry delivery.

Alternatively, for a cluster including multiple controllers in the SDN,the controller scheduling function may be independently set on anindependent scheduling device. For example, one controller is selectedfrom the multiple controllers as a primary controller. The primarycontroller may be used as the independent scheduling device. The primarycontroller communicates with the other controllers using an east-westinterface. The primary controller is mainly responsible for generatingand maintaining status information of secondary controllers, the packetforwarding device, and the cleaning device in the entire network. Oncethe primary controller fails, one controller is selected from thesecondary controllers in the cluster as a new primary controller. Inaddition, the controller cluster is transparent to the packet forwardingdevices and the cleaning device. That is, in a running process of theSDN, the packet forwarding device and the cleaning device do not need tocare that a command received by the packet forwarding device or thecleaning device is from which controller. In addition, when the packetforwarding devices or the cleaning device sends a data packet to acontroller, a previous operation manner involving a single controllermay still be used, thereby ensuring logic centralization of thecontrollers. Currently, there is no clear standard for defining aneast-west interface that is used for communication and connectionbetween multiple controllers and a scheduling device. Generally, anexisting mature cluster technology, for example, a server clustertechnology, may be used to implement communication over the east-westinterface.

Further, a DDoS control program may be installed on the controller, andthe controller executes the DDoS control program to implement aconfiguration related to the DDoS prevention solution. Optionally, theDDoS control program may be installed on another user equipment. A usercalls the DDoS control program using an application on the userequipment, and the user equipment executes the DDoS control program andinteracts with the controller in order to implement the configurationrelated to the DDoS prevention solution. The controller communicateswith the user equipment using a northbound interface of the controller.It should be noted that based on different requirements, there may bemultiple solutions for protocol formulation of the northbound interface.For example, a representational state transfer (REST) applicationprogramming interface (API) is a common northbound interface form. Someconventional network equipment manufacturers provide a programminginterface on their existing equipment, for direct calling by a serviceapplication, and the programming interface may also be considered as anorthbound interface. A purpose is to improve configuration managementflexibility without changing an existing device architecture, andrespond to competition with an open protocol.

Each one of the packet forwarding devices may be a forwarder, or may bea switch, a router, a firewall, or the like in a conventional network.Each one of the packet forwarding devices has a traffic monitoringfunction and a cleaning function.

The traffic monitoring function of the packet forwarding device is usedto monitor, based on a traffic statistics collection instructiondelivered by the controller, traffic that passes through the packetforwarding device. The traffic statistics collection instruction carriesa destination IP address, and the destination IP address may be an IPaddress or an IP address segment of a server that needs to be protected.The packet forwarding device may detect, according to the trafficmonitoring function, statistical information of traffic flowing to thedestination IP address, and report statistical data to the controller.

When the controller delivers an attack prevention policy, for example, aDDoS prevention policy, the cleaning function of the packet forwardingdevice is used to perform cleaning processing on suspected attacktraffic based on the attack prevention policy to remove the suspectedattack traffic.

In addition, the packet forwarding device may perform traffic limiting,discarding, or blocking on the traffic based on different attackprevention policies, or divert the suspected attack traffic to thecleaning device.

It should be noted that in the solution provided in this embodiment ofthe present disclosure, based on different functions of different stepsin a network attack prevention process, the packet forwarding device maybe classified into two types a first packet forwarding device and asecond packet forwarding device.

The first packet forwarding device has the traffic monitoring function,and all packet forwarding devices in an SDN system may be used as thefirst packet forwarding device. The second packet forwarding device hasthe cleaning function. For example, to effectively perform preventionprocessing on the suspected attack traffic, the controller instructs apacket forwarding device that is close to an attack source and that islocated on an SDN edge to perform prevention processing on the attacktraffic. In this scenario, the packet forwarding device that is close tothe attack source and that is located on the SDN edge is the secondpacket forwarding device. Generally, the second packet forwarding devicemay also have the traffic monitoring function. That is, the first packetforwarding device and the second packet forwarding device may be a sameentity device or may be different entity devices.

The cleaning device is configured to receive the suspected attacktraffic diverted by the packet forwarding device, clean the suspectedattack traffic, and inject traffic obtained after the cleaning to theSDN.

It should be noted that, compared with an existing diversion solution, adiversion solution provided in this embodiment of the present disclosurehas the following advantage. The controller in the SDN has linkdiscovery and topology management functions, and therefore when thediversion solution is used, the controller may configure, according toan SDN topological relationship or the statistical data, that the secondpacket forwarding device diverts the suspected attack traffic to thecleaning device using a path with minimum impact on the SDN network. Forexample, a path closest to the cleaning device is selected fordiversion, or a path with a minimum load is selected for diversion.Therefore, attack impact increased due to diversion in the otherapproaches is reduced. That is, the diversion solution provided in thepresent disclosure may be dynamically adjusted at any time according toa link status of the SDN. Accordingly, a policy corresponding to thissolution is named as a dynamic diversion and cleaning response policyhereinafter.

Further, FIG. 3 is a schematic deployment diagram of an SDN systemaccording to an embodiment of the present disclosure. Referring to FIG.3, the SDN system includes a controller, a first packet forwardingdevice, and a second packet forwarding device.

The controller is configured to deliver a traffic statistics collectioninstruction to the first packet forwarding device, where the trafficstatistics collection instruction is used to instruct the first packetforwarding device to perform traffic statistics collection, and thetraffic statistics collection instruction carries a destination IPaddress, collect statistical data reported by the first packetforwarding device according to the traffic statistics collectioninstruction, where the statistical data includes statistical informationof traffic flowing to the destination IP address, obtain, according tothe statistical data, a statistical value of global traffic flowing tothe destination IP address, where the statistical value of the globaltraffic indicates a statistical value that is used to reflect trafficflowing to the destination IP address within a range of the SDN and thatis obtained after the controller summarizes statistical data reported byat least two packet forwarding devices including the first packetforwarding device, and determine whether the statistical value of theglobal traffic exceeds a preset threshold, and deliver a DDoS preventionpolicy to the second packet forwarding device based on a determiningresult that the statistical value of the global traffic exceeds thepreset threshold.

The first packet forwarding device is configured to receive the trafficstatistics collection instruction sent by the controller, collect,according to the traffic statistics collection instruction, thestatistical information of the traffic flowing to the destination IPaddress, and report the statistical data to the controller.

The second packet forwarding device is configured to receive the DDoSprevention policy sent by the controller, and perform, according to theDDoS prevention policy, prevention processing on the traffic flowing tothe destination IP address.

According to the SDN system provided in this embodiment of the presentdisclosure, the controller delivers a traffic statistics collectioninstruction to the first packet forwarding device. The trafficstatistics collection instruction is used to instruct the first packetforwarding device to perform traffic statistics collection, and thetraffic statistics collection instruction carries a destination IPaddress. The controller collects statistical data reported by the firstpacket forwarding device according to the traffic statistics collectioninstruction. The statistical data includes statistical information oftraffic flowing to the destination IP address. The controller obtains,according to the statistical data, a statistical value of global trafficflowing to the destination IP address, determines whether thestatistical value of the global traffic exceeds a preset threshold, anddelivers a DDoS prevention policy to a second packet forwarding devicebased on a determining result that the statistical value of the globaltraffic exceeds the preset threshold. Correspondingly, the first packetforwarding device receives the traffic statistics collection instructionsent by the controller, collects the statistical information of thetraffic flowing to the destination IP address according to the trafficstatistics collection instruction, and finally reports the statisticaldata to the controller. Correspondingly, the second packet forwardingdevice receives the DDoS prevention policy sent by the controller, andperforms, according to the DDoS prevention policy, prevention processingon the traffic flowing to the destination IP address. This reducesimpact of a DDoS attack on a network and improves network security.

Optionally, the traffic statistics collection instruction furthercarries a detection start time.

The detection start time is used to notify the first packet forwardingdevice of a start time of the traffic statistics collection, the trafficstatistics collection is continuously performed by the first packetforwarding device according to a detection period, and the statisticaldata is reported by the first packet forwarding device to the controlleraccording to the detection period.

Further, the controller needs a mechanism to determine whether a networkattack stops. A possible implementation includes determining that thestatistical value of the global traffic does not exceed the presetthreshold in at least two successive detection periods, and delivering aprevention cancellation instruction message to the second packetforwarding device, where the prevention cancellation instruction messageis used to instruct the second packet forwarding device to stopexecuting the DDoS prevention policy.

The second packet forwarding device is further configured to receive theprevention cancellation instruction message, and stop executing the DDoSprevention policy.

Optionally, the controller may further deliver the DDoS preventionpolicy to a packet forwarding device that is close to an attack sourceand that is located on an SDN edge. A possible implementation is asfollows.

Before delivering the DDoS prevention policy to the second packetforwarding device, the controller is further configured to determine,according to the statistical data, a packet forwarding device closest toan attack source on an attack path, and use the packet forwarding deviceclosest to the attack source as the second packet forwarding device.

Further, the statistical information of the traffic flowing to thedestination IP address includes a volume of the traffic flowing from thefirst packet forwarding device to the destination IP address. Thecontroller is further configured to determine a first attack pathaccording to the volume of the traffic flowing from the first packetforwarding device to the destination IP address, where the first attackpath is an attack path, of at least one attack path, with a maximumvolume of traffic flowing to the destination IP address, and determine,according to the first attack path, the packet forwarding device closestto the attack source, where the packet forwarding device closest to theattack source is located on an SDN edge that is on the first attack pathand that is on a side of a source address of the traffic flowing to thedestination IP address.

Optionally, the DDoS prevention policy includes any one of a black-holeroute response policy, a traffic limiting response policy, a ratelimiting response policy, a discarding response policy, a local cleaningresponse policy, or a dynamic diversion and cleaning response policy.

Further, the foregoing response policies are described as follows. Ablack-hole route refers to a route entry, pointing to no next hop, in anaccess control list (ACL) of a packet forwarding device. Similar to acommon route entry, the black-hole route also includes a match item andan action. A packet that matches the match item of the black-hole routeis to be discarded by the packet forwarding device and is forwarded tono next hop. The action in the black-hole route may be implemented inmultiple manners. For example, a routing device forwards a packet to aninvalid IP address, for example, 0.0.0.0, or to a loopback address, orusing a null0 interface. The null0 is a logical interface on the routingdevice, and the null0 interface is always in an “up” state, but does notforward any packet. A packet forwarding device forwards a packet to anull0 interface on the packet forwarding device, and after receiving thepacket, the null0 interface discards the packet. Based on the foregoingcharacteristics of the black-hole route, when a network attack occurs,the controller may configure a corresponding black-hole route responsepolicy, and deliver the black-hole route response policy to the packetforwarding device in order to implement DDoS attack prevention. Theblack-hole route response policy is used to instruct the second packetforwarding device to perform, by configuring a black-hole route, packetdiscarding processing on the traffic flowing to the destination IPaddress. Further, the black-hole route response policy may includeinformation such as the destination IP address and a protocol typesupported by a packet.

The second packet forwarding device is further configured to perform,using the black-hole route according to the black-hole route responsepolicy, packet discarding processing on the traffic flowing to thedestination IP address.

Setting the black-hole route in the second packet forwarding device mayimplement packet discarding without giving a reason for discarding,thereby simplifying attack traffic processing and improving processingefficiency.

The traffic limiting response policy is used to instruct the secondpacket forwarding device to perform traffic limiting processing on thetraffic flowing to the destination IP address. Further, the secondpacket forwarding device limits, based on the traffic limiting responsepolicy, packet transmit/receive bandwidth in unit time, for example,specifying a maximum quantity of bytes of packets sent each second. Thetraffic limiting response policy may include the destination IP address,a protocol type supported by a packet, quintuple information of thepacket, and the like. The packet forwarding device may perform theforegoing limiting based on the quintuple information of the packet. Forexample, the foregoing limiting is performed for a Transmission ControlProtocol (TCP) packet and/or a UDP packet, the foregoing limiting isperformed for a source port of a specific packet, the foregoing limitingis performed for a destination port of a specific packet, and a packettransmission rate is limited by setting a specific upper rate limit.

The second packet forwarding device is further configured to perform,according to the traffic limiting response policy, traffic limitingprocessing on the traffic flowing to the destination IP address.

The rate limiting response policy is used to instruct the second packetforwarding device to perform rate limiting processing on the trafficflowing to the destination IP address. For example, the second packetforwarding device sets transmit/receive bandwidth based on the ratelimiting response policy.

The second packet forwarding device is further configured to perform,according to the rate limiting response policy, rate limiting processingon the traffic flowing to the destination IP address.

The discarding response policy is used to instruct the second packetforwarding device to perform packet discarding processing on the trafficflowing to the destination IP address. Further, the second packetforwarding device discards, based on the discarding response policy, areceived packet that includes suspected network attack traffic or ato-be-sent packet that includes suspected network attack traffic. Thediscarding response policy may include the destination IP address, aprotocol type supported by a packet, quintuple information of thepacket, and the like. The quintuple information of the packet mayinclude TCP information of the packet or UDP information of the packet,source port information of the packet, destination port information ofthe packet, drop packet information, and the like.

The second packet forwarding device is further configured to perform,according to the discarding response policy, packet discardingprocessing on the traffic flowing to the destination IP address.

The local cleaning response policy is used to instruct the second packetforwarding device to locally perform cleaning processing on the trafficflowing to the destination IP address. Further, the local cleaningresponse policy is used to instruct the second packet forwarding deviceto locally perform cleaning processing on the traffic flowing to thedestination IP address. The second packet forwarding device locallyperforms, based on the local cleaning response policy, cleaningprocessing on a received packet that includes suspected network attacktraffic or a to-be-sent packet that includes suspected network attacktraffic. Optionally, the local cleaning response policy may include thedestination IP address, a protocol type supported by a packet, quintupleinformation of the packet, and the like.

The second packet forwarding device is further configured to locallyperform, according to the local cleaning response policy, cleaningprocessing on the traffic flowing to the destination IP address.

The dynamic diversion and cleaning response policy is used to instructthe second packet forwarding device to send the traffic flowing to thedestination IP address to a cleaning device for cleaning processing.Optionally, the dynamic diversion and cleaning response policy mayinclude the destination IP address and diversion path indicationinformation.

The second packet forwarding device is further configured to send,according to the dynamic diversion and cleaning response policy, thetraffic flowing to the destination IP address to the cleaning device forcleaning processing.

For the dynamic diversion and cleaning response policy, beforedelivering the dynamic diversion and cleaning response policy using thesouthbound interface unit, the controller needs to determine a path withminimum network impact to divert the traffic. The following describesseveral possible implementations.

Manner 1: The statistical data further includes a load value of thefirst packet forwarding device.

Before delivering the DDoS prevention policy to the second packetforwarding device, the controller is further configured to determine afirst diversion path according to the load value of the first packetforwarding device, where the first diversion path is a path with aminimum load between the second packet forwarding device and thecleaning device, and the first diversion path includes the second packetforwarding device and the cleaning device.

The DDoS prevention policy delivered to the second packet forwardingdevice is the dynamic diversion and cleaning response policy, thedynamic diversion and cleaning response policy includes indicationinformation of first diversion path, and the indication information ofthe first diversion path is used to instruct the second packetforwarding device to send, through the first diversion path, the trafficflowing to the destination IP address to the cleaning device forcleaning processing.

The second packet forwarding device is further configured to send,through the first diversion path, the traffic flowing to the destinationIP address to the cleaning device for cleaning processing.

Manner 2: Before delivering the DDoS prevention policy to the secondpacket forwarding device, the controller is further configured todetermine a second diversion path according to an SDN topologicalrelationship, where the second diversion path is a shortest path betweenthe second packet forwarding device and the cleaning device, and the SDNtopological relationship includes a connection relationship between thepacket forwarding devices in the SDN and a connection relationshipbetween one or more packet forwarding devices and the cleaning device.

The DDoS prevention policy delivered to the second packet forwardingdevice is the dynamic diversion and cleaning response policy. Thedynamic diversion and cleaning response policy includes indicationinformation of the second diversion path, and the indication informationof the second diversion path is used to instruct the second packetforwarding device to send, through the second diversion path, thetraffic flowing to the destination IP address to the cleaning device forcleaning processing.

The second packet forwarding device is further configured to send,through the second diversion path, the traffic flowing to thedestination IP address to the cleaning device for cleaning processing.

On a basis of FIG. 2 and FIG. 3, the following describes each node in anSDN-based DDoS attack prevention system.

FIG. 4 is a schematic structural diagram of a controller according to anembodiment of the present disclosure. Referring to FIG. 4, thecontroller includes a processor 10, a memory 11, a transceiver 12, and abus 13.

The transceiver 12 includes a northbound interface unit 12 a, asouthbound interface unit 12 b, and an east-west interface unit 12 c.

The processor 10 is configured to execute a DDoS control program toobtain a DDoS prevention configuration parameter, and instruct, based onthe DDoS prevention configuration parameter, the southbound interfaceunit 12 b to interact with a packet forwarding device and a cleaningdevice in order to implement a configuration related to the foregoingDDoS prevention solution. For example, the DDoS prevention configurationparameter is a destination IP address. The processor 10 instructs thesouthbound interface unit 12 b to deliver a traffic statisticscollection instruction to a first packet forwarding device. The trafficstatistics collection instruction carries the destination IP address.The southbound interface unit 12 b receives statistical data sent by thefirst packet forwarding device. The statistical data includesstatistical information of traffic flowing to the destination IPaddress.

It should be noted that the DDoS prevention configuration parameter maybe obtained from user equipment using the northbound interface unit 12a.

Further, the processor 10 obtains, according to the statistical datareceived by the southbound interface unit 12 b, a statistical value ofglobal traffic flowing to the destination IP address, and determineswhether the statistical value of the global traffic exceeds a presetthreshold.

The statistical value of the global traffic indicates a statisticalvalue that is used to reflect traffic flowing to the destination IPaddress within a range of an SDN and that is obtained after thecontroller summarizes statistical data reported by at least two packetforwarding devices including the first packet forwarding device.

Further, if a network attack occurs, the processor 10 instructs, basedon a determining result that the statistical value of the global trafficexceeds the preset threshold, the southbound interface unit 12 b to senda DDoS prevention policy to a second packet forwarding device.

Optionally, when the controller has the foregoing controller schedulingfunction, the processor 10 directly instructs the southbound interfaceunit 12 b to interact with the packet forwarding device and the cleaningdevice in order to implement a configuration related to the foregoingDDoS prevention solution. If a system further includes the foregoingindependent scheduling device, the processor 10 instructs the east-westinterface unit 12 c to interact with the independent scheduling devicein order to implement the configuration related to the foregoingcontroller scheduling function. It should be noted that the northboundinterface unit 12 a and the east-west interface unit 12 c are optionalunits. For a controller that can execute a DDoS control program byitself, the northbound interface unit 12 a may not be disposed. For acontroller that has the foregoing controller scheduling function, theeast-west interface unit 12 c may not be disposed.

The memory 11 is configured to store the DDoS prevention configurationparameter, the DDoS control program, the statistical data reported bythe first packet forwarding device, the DDoS prevention policy, and thelike, which are to be called by the processor 10 in a correspondingoperation.

According to the controller provided in this embodiment of the presentdisclosure, the processor 10 instructs the southbound interface unit 12b to deliver a traffic statistics collection instruction to a firstpacket forwarding device. The traffic statistics collection instructionis used to instruct the first packet forwarding device to performtraffic statistics collection, and the traffic statistics collectioninstruction carries a destination IP address. The southbound interfaceunit 12 b receives statistical data reported by the first packetforwarding device according to the traffic statistics collectioninstruction. The statistical data includes statistical information oftraffic flowing to the destination IP address. The processor 10 obtains,according to the statistical data received by the southbound interfaceunit 12 b, a statistical value of global traffic flowing to thedestination IP address. The statistical value of the global trafficindicates a statistical value that is used to reflect traffic flowing tothe destination IP address within a range of an SDN and that is obtainedafter the controller summarizes statistical data reported by at leasttwo packet forwarding devices including the first packet forwardingdevice. The processor 10 determines whether the statistical value of theglobal traffic exceeds a preset threshold. The processor 10 instructs,based on a determining result that the statistical value of the globaltraffic exceeds the preset threshold, the southbound interface unit 12 bto deliver a DDoS prevention policy to a second packet forwardingdevice. This reduces impact of a DDoS attack on a network and improvesnetwork security.

Optionally, the traffic statistics collection instruction furthercarries a detection start time.

The detection start time is used to notify the first packet forwardingdevice of a start time of the traffic statistics collection, the trafficstatistics collection is continuously performed by the first packetforwarding device according to a detection period, and the statisticaldata is reported by the first packet forwarding device to the controlleraccording to the detection period.

Further, the controller needs a mechanism to determine whether a networkattack stops. A possible implementation is as follows.

The processor 10 is further configured to determine that the statisticalvalue of the global traffic does not exceed the preset threshold in atleast two detection periods.

The southbound interface unit 12 b is further configured to deliver aprevention cancellation instruction message to the second packetforwarding device based on a result, determined by the processor 10,that the statistical value of the global traffic does not exceed thepreset threshold in the at least two successive detection periods.

The prevention cancellation instruction message is used to instruct thesecond packet forwarding device to stop executing the DDoS preventionpolicy.

Optionally, the controller may further deliver the DDoS preventionpolicy to a packet forwarding device that is close to an attack sourceand that is located on an SDN edge. A possible implementation is asfollows.

Before the southbound interface unit 12 b delivers the DDoS preventionpolicy to the second packet forwarding device, the processor 10 isfurther configured to determine, according to the statistical datareceived by the southbound interface unit 12 b, a packet forwardingdevice closest to an attack source on an attack path, and use the packetforwarding device closest to the attack source as the second packetforwarding device.

The southbound interface unit 12 b is further configured to deliver theDDoS prevention policy to the second packet forwarding device.

Further, the statistical information of the traffic flowing to thedestination IP address includes a volume of the traffic flowing from thefirst packet forwarding device to the destination IP address. Theprocessor 10 determines a first attack path according to the volume,received by the southbound interface unit 12 b, of the traffic flowingfrom the first packet forwarding device to the destination IP address.The first attack path is an attack path, of at least one attack path,with a maximum volume of traffic flowing to the destination IP address.The processor 10 determines, according to the first attack path, thepacket forwarding device closest to the attack source.

The packet forwarding device closest to the attack source is located onan SDN edge that is on the first attack path and that is on a side of asource address of the traffic flowing to the destination IP address.

Optionally, the DDoS prevention policy includes any one of a black-holeroute response policy, a traffic limiting response policy, a ratelimiting response policy, a discarding response policy, a local cleaningresponse policy, or a dynamic diversion and cleaning response policy.The controller delivers a response instruction.

For the dynamic diversion and cleaning response policy, before thesouthbound interface unit 12 b delivers the dynamic diversion andcleaning response policy, the controller needs to determine a path withminimum network impact to divert the traffic. The following describesseveral possible implementations.

Manner 1: The statistical data further includes a load value of thefirst packet forwarding device.

The processor 10 is configured to determine a first diversion pathaccording to the load value of the first packet forwarding device.

The first diversion path is a path with a minimum load between thesecond packet forwarding device and the cleaning device, and the firstdiversion path includes the second packet forwarding device and thecleaning device.

In this case, the southbound interface unit 12 b delivers the dynamicdiversion and cleaning response policy to the second packet forwardingdevice according to the first diversion path determined by the processor10. The dynamic diversion and cleaning response policy includesindication information of the first diversion path, and the indicationinformation of the first diversion path is used to instruct the secondpacket forwarding device to send, through the first diversion path, thetraffic flowing to the destination IP address to the cleaning device forcleaning processing.

Manner 2: The processor 10 is configured to determine a second diversionpath according to an SDN topological relationship. The second diversionpath is a shortest path between the second packet forwarding device andthe cleaning device, and the SDN topological relationship includes aconnection relationship between the packet forwarding devices in the SDNand a connection relationship between one or more packet forwardingdevices and the cleaning device.

The southbound interface unit 12 b delivers the dynamic diversion andcleaning response policy to the second packet forwarding deviceaccording to the second diversion path determined by the processor 10.The dynamic diversion and cleaning response policy includes indicationinformation of the second diversion path, and the indication informationof the second diversion path is used to instruct the second packetforwarding device to send, through the second diversion path, thetraffic flowing to the destination IP address to the cleaning device forcleaning processing.

Further, the following uses a secondary controller and a primarycontroller as an example to describe interaction between the controllerand the independent scheduling device. The primary controller maycooperate, in two possible implementations, with the secondarycontroller to implement the attack prevention solution.

Manner 1: The primary controller obtains working statuses of all ofsecondary controllers in the SDN, the packet forwarding devices, and thecleaning device. Each secondary controller periodically interacts withthe first packet forwarding device using a southbound interface unit toobtain statistical data, each secondary controller sends the collectedstatistical data to the primary controller using a respective east-westinterface unit, and then the primary controller obtains a statisticalvalue of global traffic after performing summarization, and determines,according to the statistical value of the global traffic, whether anetwork attack occurs. The primary controller negotiates with thesecondary controllers to formulate an agreed network attack preventionpolicy, for example, the DDoS prevention policy, and the secondarycontrollers deliver the network attack prevention policy to the secondpacket forwarding device using southbound interface units.

Manner 2: The primary controller selects an idle secondary controller tocomplete the attack prevention solution. For example, the primarycontroller interacts with a secondary controller using an east-westinterface unit, and the primary controller instructs the secondarycontroller to complete the attack prevention solution. The secondarycontroller periodically interacts with the first packet forwardingdevice using a southbound interface unit to obtain statistical data. Thesecondary controller summarizes the collected statistical data to obtaina statistical value of global traffic, and determines, according to thestatistical value of the global traffic, whether a network attackoccurs, and the secondary controller delivers the network attackprevention policy to the second packet forwarding device using thesouthbound interface unit.

FIG. 5 is a schematic structural diagram of a packet forwarding deviceaccording to an embodiment of the present disclosure. The packetforwarding device is the foregoing first packet forwarding device in atraffic statistics collection process, and is the foregoing secondpacket forwarding device in a DDoS prevention policy execution process.Referring to FIG. 5, the packet forwarding device includes a processor20, a memory 21, a transceiver 22, and a bus 23.

The transceiver 22 includes a northbound interface unit 22 a.

First, when the packet forwarding device serves as the first packetforwarding device, the packet forwarding device has the followingfunctions.

The northbound interface unit 22 a is connected to a southboundinterface unit of a controller and is configured to receive a relatedparameter, for example, a traffic statistics collection instruction,configured by the controller for a DDoS attack, and report related data,for example, statistical data, obtained by means of detection for theDDoS attack to the controller. The traffic statistics collectioninstruction carries a destination IP address and is used to instruct theprocessor 20 to perform traffic statistics collection. The statisticaldata includes statistical information of traffic flowing to thedestination IP address.

The processor 20 is configured to perform statistics collection on thetraffic flowing to the destination IP address according to the trafficstatistics collection instruction received by the northbound interfaceunit 22 a to obtain the statistical information of the traffic flowingto the destination IP address.

The memory 21 is configured to store the related parameter configured bythe controller for the DDoS attack, the statistical data, and the like.

According to the first packet forwarding device provided in thisembodiment of present disclosure, the northbound interface unit 22 areceives a related parameter, for example, a traffic statisticscollection instruction, configured by a controller for a DDoS attack.The traffic statistics collection instruction carries a destination IPaddress and is used to instruct the processor 20 to perform trafficstatistics collection. Further, the processor 20 performs, according tothe traffic statistics collection instruction received by the northboundinterface unit 22 a, statistics collection on traffic flowing to thedestination IP address to obtain statistical information of the trafficflowing to the destination IP address. The northbound interface unit 22a reports related data, for example, statistical data, obtained by meansof detection for the DDoS attack to the controller. The statistical dataincludes the statistical information of the traffic flowing to thedestination IP address. The first packet forwarding device performs thetraffic statistics collection on the traffic flowing to the destinationIP address, and reports the statistical data to the controller such thatthe controller can determine, based on the statistical data, whether aDDoS attack occurs, and trigger a corresponding DDoS prevention policy.This reduces impact of a DDoS attack on a network and improves networksecurity.

Optionally, the traffic statistics collection instruction furthercarries a detection start time.

The detection start time is used to notify the processor 20 of a starttime of the traffic statistics collection, the traffic statisticscollection is continuously performed according to a detection period,and the statistical data is reported to the controller according to thedetection period.

Still referring to FIG. 5, when the packet forwarding device serves asthe second packet forwarding device, the packet forwarding device hasthe following functions.

After reporting the statistical data to the controller, the northboundinterface unit 22 a is further configured to receive a DDoS preventionpolicy sent by the controller.

The processor 20 is further configured to perform, according to the DDoSprevention policy received by the northbound interface unit 22 a,prevention processing on the traffic flowing to the destination IPaddress.

According to the second packet forwarding device provided in thisembodiment, after the northbound interface unit 22 a reports statisticaldata to a controller, the northbound interface unit 22 a receives a DDoSprevention policy sent by the controller, and the processor 20 performs,according to the DDoS prevention policy received by the northboundinterface unit, prevention processing on traffic flowing to adestination IP address. This implements DDoS prevention on the trafficflowing to the destination IP address, reduces impact of a DDoS attackon a network, and improves network security.

It should be noted that some packet forwarding devices in an SDN havefunctions of both the first packet forwarding device and the secondpacket forwarding device. These packet forwarding devices are usuallypacket forwarding devices that can maximize a prevention effect of theexecuted DDoS prevention policy, for example, a packet forwarding devicethat is close to an attack source and that is located on an SDN edge.Other packet forwarding devices in the SDN have only a function of thefirst packet forwarding device, for example, a packet forwarding devicethat is not located on the SDN edge. Certainly, according to specificdeployment of the SDN and a specific scenario in which a network attackoccurs, the controller may configure, according to a requirement, that apacket forwarding device in the SDN has functions/a function of thefirst packet forwarding device and/or the second packet forwardingdevice. This is not limited in this embodiment of the presentdisclosure.

Further, corresponding to a mechanism used by the controller todetermine whether a network attack stops, corresponding functions on asecond packet forwarding device side are as follows.

After receiving the DDoS prevention policy sent by the controller, thenorthbound interface unit 22 a is further configured to receive aprevention cancellation instruction message sent by the controller,where the prevention cancellation instruction message is used toinstruct the processor 20 to stop executing the DDoS prevention policy.

The processor 20 is further configured to stop, according to theprevention cancellation instruction message received by the northboundinterface unit 22 a, performing prevention processing on the trafficflowing to the destination IP address.

Optionally, the DDoS prevention policy includes any one of a black-holeroute response policy, a traffic limiting response policy, a ratelimiting response policy, a discarding response policy, a local cleaningresponse policy, or a dynamic diversion and cleaning response policy.

The black-hole route response policy is used to instruct the processor20 to perform, by configuring a black-hole route, packet discardingprocessing on the traffic flowing to the destination IP address.

The processor 20 is further configured to perform, using a black-holeroute according to the black-hole route response policy received by thenorthbound interface unit 22 a, packet discarding processing on thetraffic flowing to the destination IP address.

The traffic limiting response policy is used to instruct the processor20 to perform traffic limiting processing on the traffic flowing to thedestination IP address.

The processor 20 is further configured to perform, according to thetraffic limiting response policy received by the northbound interfaceunit 22 a, traffic limiting processing on the traffic flowing to thedestination IP address.

The rate limiting response policy is used to instruct the processor 20to perform rate limiting processing on the traffic flowing to thedestination IP address.

The processor 20 is further configured to perform, according to the ratelimiting response policy received by the northbound interface unit 22 a,rate limiting processing on the traffic flowing to the destination IPaddress.

The discarding response policy is used to instruct the processor 20 toperform packet discarding processing on the traffic flowing to thedestination IP address.

The processor 20 is further configured to perform, according to thediscarding response policy received by the northbound interface unit 22a, packet discarding processing on the traffic flowing to thedestination IP address.

The local cleaning response policy is used to instruct the processor 20to locally perform cleaning processing on the traffic flowing to thedestination IP address.

The processor 20 is further configured to locally perform, according tothe local cleaning response policy received by the northbound interfaceunit 22 a, cleaning processing on the traffic flowing to the destinationIP address.

The dynamic diversion and cleaning response policy is used to instructthe processor 20 to send the traffic flowing to the destination IPaddress to a cleaning device for cleaning processing.

The processor 20 is further configured to instruct, according to thedynamic diversion and cleaning response policy received by thenorthbound interface unit 22 a, the northbound interface unit 22 a tosend the traffic flowing to the destination IP address to the cleaningdevice for cleaning processing.

For the dynamic diversion and cleaning response policy, before thecontroller delivers the dynamic diversion and cleaning response policy,the controller needs to determine a path with minimum network impact todivert the traffic. The second packet forwarding device side has thefollowing corresponding functions.

Manner 1:

The statistical data further includes a load value of the first packetforwarding device.

The dynamic diversion and cleaning response policy includes indicationinformation of the first diversion path. The indication information ofthe first diversion path is used to instruct to send, through a firstdiversion path, the traffic flowing to the destination IP address to thecleaning device for cleaning processing. The first diversion path is apath with a minimum load between the packet forwarding device and thecleaning device, and the first diversion path includes the second packetforwarding device and the cleaning device.

The packet forwarding device is the second packet forwarding device.

The processor 20 is further configured to instruct, according to thedynamic diversion and cleaning response policy received by thenorthbound interface unit 22 a, the northbound interface unit 22 a tosend, through the first diversion path, the traffic flowing to thedestination IP address to the cleaning device for cleaning processing.

Manner 2:

The dynamic diversion and cleaning response policy includes indicationinformation of the second diversion path. The indication information ofthe second diversion path is used to instruct to send, through a seconddiversion path, the traffic flowing to the destination IP address to thecleaning device for cleaning processing. The second diversion path is ashortest path between the packet forwarding device and the cleaningdevice.

The packet forwarding device is the second packet forwarding device.

The processor 20 is further configured to instruct, according to thedynamic diversion and cleaning response policy received by thenorthbound interface unit 22 a, the northbound interface unit 22 a tosend, through the second diversion path, the traffic flowing to thedestination IP address to the cleaning device for cleaning processing.

FIG. 6 is a schematic structural diagram of an independent schedulingdevice according to an embodiment of the present disclosure. Referringto FIG. 6, the independent scheduling device includes a processor 30, amemory 31, a transceiver 32, and a bus 33.

The transceiver 32 includes an east-west interface unit 32 a.

Further, for the independent scheduling device, there may be twopossible implementations. The following separately describes the twomanners.

Manner 1:

The east-west interface unit 32 a of the independent scheduling deviceis connected to an east-west interface unit of a controller.

The processor 30 is configured to instruct the east-west interface unit32 a to send a traffic statistics collection instruction to thecontroller such that the controller delivers the traffic statisticscollection instruction to a first packet forwarding device.

Optionally, the traffic statistics collection instruction may also bedelivered by the controller itself to the first packet forwardingdevice, and with no need to send the traffic statistics collectioninstruction to the controller by the east-west interface unit 32 a.

The east-west interface unit 32 a is further configured to receivestatistical data sent by the controller.

Further, the controller collects statistical data reported by the firstpacket forwarding device according to the traffic statistics collectioninstruction, and sends the statistical data to the east-west interfaceunit 32 a of the independent scheduling device.

The processor 30 is configured to obtain, according to the statisticaldata received by the east-west interface unit 32 a, a statistical valueof global traffic flowing to a destination IP address, and determine,according to the statistical value of the global traffic, whether anetwork attack occurs.

The statistical value of the global traffic indicates a statisticalvalue that is used to reflect traffic flowing to the destination IPaddress within a range of the SDN and that is obtained after thecontroller summarizes statistical data reported by at least two packetforwarding devices including the first packet forwarding device.

If a network attack occurs, the processor 30 negotiates with thecontroller using the east-west interface unit 32 a to determine a DDoSprevention policy, and instructs the controller to deliver thedetermined DDoS prevention policy to a second packet forwarding device.

Manner 2:

The east-west interface unit 32 a of the independent scheduling deviceis connected to an east-west interface unit 12 c of a controller.

The east-west interface unit 32 a receives a DDoS prevention requestmessage sent by the controller.

The processor 30 determines, according to the DDoS prevention requestmessage and controller status information, a controller that isconfigured to execute a DDoS prevention function.

Further, when a cluster includes multiple controllers, an independentscheduling device is usually disposed to facilitate management of themultiple controllers. Therefore, the processor 30 needs to select, basedon the controller status information, a controller that can execute aDDoS prevention function. The controller status information may includeprocessing capability information, a load status, an idle status, andthe like that are of each controller in the cluster. After determiningthe controller that can execute the DDoS prevention function, theindependent scheduling device sends a DDoS prevention response messageto the controller. The DDoS prevention response message includes a DDoSprevention execution instruction. The controller executes a DDoSprevention function according to the DDoS prevention executioninstruction. For specific functions, refer to the solution in theembodiment corresponding to FIG. 4.

In Manner 1, there may be multiple mechanisms for negotiation betweenthe independent scheduling device and the controller. For example,statistical information of the traffic flowing to the destination IPaddress includes a volume of the traffic flowing from the first packetforwarding device to the destination IP address. The independentscheduling device determines a first attack path according to the volumeof the traffic flowing from the first packet forwarding device to thedestination IP address, where the first attack path is an attack path,of at least one attack path, with a maximum volume of traffic flowing tothe destination IP address, and determines, according to the firstattack path, a packet forwarding device closest to the attack source.The packet forwarding device closest to the attack source is located onan SDN edge that is on the first attack path and that is on a side of asource address of the traffic flowing to the destination IP address. Theindependent scheduling device instructs the controller to set the packetforwarding device closest to the attack source as the second packetforwarding device, and deliver the DDoS prevention policy to the secondpacket forwarding device. For another example, after determining to seta dynamic diversion and cleaning response policy, the independentscheduling device determines a first diversion path according to a loadvalue of the first packet forwarding device. The first diversion path isa path with a minimum load between the second packet forwarding deviceand the cleaning device. The independent scheduling device delivers thedynamic diversion and cleaning response policy to the controller. Thepolicy includes indication information of the first diversion path. Theindication information of the first diversion path is used to instructthe second packet forwarding device to send, through the first diversionpath, the traffic flowing to the destination IP address to the cleaningdevice for cleaning processing. For another example, after determiningto set a dynamic diversion and cleaning response policy, the independentscheduling device determines a second diversion path according to an SDNtopological relationship. The second diversion path is a shortest pathbetween the second packet forwarding device and the cleaning device. TheSDN topological relationship includes a connection relationship betweenthe packet forwarding devices in the SDN and a connection relationshipbetween one or more packet forwarding devices and the cleaning device.The independent scheduling device delivers the dynamic diversion andcleaning response policy to the controller. The policy includesindication information of the second diversion path. The indicationinformation of the second diversion path is used to instruct the secondpacket forwarding device to send, through the second diversion path, thetraffic flowing to the destination IP address to the cleaning device forcleaning processing. Certainly, there may be multiple possiblemechanisms for negotiation between the independent scheduling device andthe controller. This is not limited in this embodiment of the presentdisclosure.

Optionally, for the foregoing controller, there may be another possibleimplementation. Further, FIG. 7 is a schematic structural diagram of acontroller according to an embodiment of the present disclosure.Referring to FIG. 7, the controller includes a sending module 40, aprocessing module 41, and a receiving module 42.

The sending module 40 is configured to deliver a traffic statisticscollection instruction to a first packet forwarding device. The trafficstatistics collection instruction is used to instruct the first packetforwarding device to perform traffic statistics collection, and thetraffic statistics collection instruction carries a destination IPaddress.

The receiving module 42 is configured to collect statistical datareported by the first packet forwarding device according to the trafficstatistics collection instruction. The statistical data includesstatistical information of traffic flowing to the destination IPaddress.

The processing module 41 is configured to obtain, according to thestatistical data received by the receiving module 42, a statisticalvalue of global traffic flowing to the destination IP address, where thestatistical value of the global traffic indicates a statistical valuethat is used to reflect traffic flowing to the destination IP addresswithin a range of an SDN and that is obtained after the controllersummarizes statistical data reported by at least two packet forwardingdevices including the first packet forwarding device, and determinewhether the statistical value of the global traffic exceeds a presetthreshold.

The sending module 40 is further configured to deliver a DDoS preventionpolicy to a second packet forwarding device based on a determiningresult, determined by the processing module 41, that the statisticalvalue of the global traffic exceeds the preset threshold.

According to the controller provided in this embodiment of the presentdisclosure, the processing module 41 instructs the sending module 40 todeliver a traffic statistics collection instruction to a first packetforwarding device. The traffic statistics collection instruction is usedto instruct the first packet forwarding device to perform trafficstatistics collection, and the traffic statistics collection instructioncarries a destination IP address. The receiving module 42 receivesstatistical data reported by the first packet forwarding deviceaccording to the traffic statistics collection instruction. Thestatistical data includes statistical information of traffic flowing tothe destination IP address. The processing module 41 obtains, accordingto the statistical data received by the receiving module 42, astatistical value of global traffic flowing to the destination IPaddress. The statistical value of the global traffic indicates astatistical value that is used to reflect traffic flowing to thedestination IP address within a range of an SDN and that is obtainedafter the controller summarizes statistical data reported by at leasttwo packet forwarding devices including the first packet forwardingdevice. The processing module 41 determines whether the statisticalvalue of the global traffic exceeds a preset threshold. The sendingmodule 40 delivers a DDoS prevention policy to a second packetforwarding device based on a determining result, determined by theprocessing module 41, that the statistical value of the global trafficexceeds the preset threshold. This reduces impact of a DDoS attack on anetwork and improves network security.

Optionally, the traffic statistics collection instruction furthercarries the foregoing detection start time.

Further, the controller needs a mechanism used to determine whether anetwork attack stops. A possible implementation is as follows.

The processing module 41 is further configured to determine that thestatistical value of the global traffic does not exceed the presetthreshold in at least two successive detection periods.

The sending module 40 is further configured to deliver the foregoingprevention cancellation instruction message to the second packetforwarding device based on a result, determined by the processing module41, that the statistical value of the global traffic does not exceed thepreset threshold in the at least two successive detection periods.

Optionally, the controller may further deliver the DDoS preventionpolicy to a packet forwarding device that is close to an attack sourceand that is located on an SDN edge. A possible implementation includesdetermining, according to the statistical data received by the receivingmodule 42, a packet forwarding device closest to an attack source on anattack path, and using the packet forwarding device closest to theattack source as the second packet forwarding device.

Further, the statistical information of the traffic flowing to thedestination IP address includes a volume of the traffic flowing from thefirst packet forwarding device to the destination IP address.

The processing module 41 is further configured to determine a firstattack path according to the volume of the traffic that is received bythe receiving module 42 and that is flowing from the first packetforwarding device to the destination IP address, where the first attackpath is an attack path, of at least one attack path, with a maximumvolume of traffic flowing to the destination IP address, and determine,according to the first attack path, the packet forwarding device closestto the attack source, where the packet forwarding device closest to theattack source is located on an SDN edge that is on the first attack pathand that is on a side of a source address of the traffic flowing to thedestination IP address.

Optionally, the DDoS prevention policy includes any one of a black-holeroute response policy, a traffic limiting response policy, a ratelimiting response policy, a discarding response policy, a local cleaningresponse policy, or a dynamic diversion and cleaning response policy.

Further, the response policies are described in detail in the foregoingdescriptions, and are not described repeatedly herein.

For the dynamic diversion and cleaning response policy, before thecontroller delivers the dynamic diversion and cleaning response policy,the controller needs to determine a path with minimum network impact todivert the traffic. The following describes several possibleimplementations.

Manner 1: The statistical data further includes a load value of thefirst packet forwarding device.

Before the sending module 40 delivers the DDoS prevention policy to thesecond packet forwarding device, the processing module 41 is furtherconfigured to determine a first diversion path according to the loadvalue of the first packet forwarding device.

The first diversion path is a path with a minimum load between thesecond packet forwarding device and the cleaning device, and the firstdiversion path includes the second packet forwarding device and thecleaning device.

The DDoS prevention policy delivered by the sending module 40 to thesecond packet forwarding device according to the first diversion pathdetermined by the processing module 41 is the dynamic diversion andcleaning response policy. The dynamic diversion and cleaning responsepolicy includes indication information of the first diversion path, andthe indication information of the first diversion path is used toinstruct the second packet forwarding device to send, through the firstdiversion path, the traffic flowing to the destination IP address to thecleaning device for cleaning processing.

Manner 2: Before the sending module 40 delivers the DDoS preventionpolicy to the second packet forwarding device, the processing module 41is further configured to determine a second diversion path according toan SDN topological relationship, where the second diversion path is ashortest path between the second packet forwarding device and thecleaning device, and the SDN topological relationship includes aconnection relationship between the packet forwarding devices in the SDNand a connection relationship between one or more packet forwardingdevices and the cleaning device.

The DDoS prevention policy delivered by the sending module 40 to thesecond packet forwarding device according to the second diversion pathdetermined by the processing module 41 is the dynamic diversion andcleaning response policy. The dynamic diversion and cleaning responsepolicy includes indication information of the second diversion path, andthe indication information of the second diversion path is used toinstruct the second packet forwarding device to send, through the seconddiversion path, the traffic flowing to the destination IP address to thecleaning device for cleaning processing.

Optionally, for the foregoing packet forwarding device, there may beanother possible implementation. FIG. 8 is a schematic structuraldiagram of another packet forwarding device according to an embodimentof the present disclosure. Referring to FIG. 8, the packet forwardingdevice includes a sending module 50, a processing module 51, and areceiving module 52.

The receiving module 52 is configured to receive a traffic statisticscollection instruction sent by a controller. The traffic statisticscollection instruction is used to instruct the processing module 51 toperform traffic statistics collection, and the traffic statisticscollection instruction carries a destination IP address.

The processing module 51 is configured to collect, according to thetraffic statistics collection instruction received by the receivingmodule 52, statistical information of traffic flowing to the destinationIP address.

The sending module 50 is configured to report statistical data to thecontroller according to the statistical information, collected by theprocessing module 51, of the traffic flowing to the destination IPaddress. The statistical data includes the statistical information ofthe traffic flowing to the destination IP address.

The packet forwarding device provided in this embodiment of the presentdisclosure is the foregoing first packet forwarding device. Thereceiving module 52 receives a traffic statistics collection instructionsent by a controller. The traffic statistics collection instructioncarries a destination IP address and is used to instruct the processingmodule 51 to perform traffic statistics collection. Further, theprocessing module 51 performs, according to the traffic statisticscollection instruction received by the receiving module 52, statisticscollection on traffic flowing to the destination IP address to obtainstatistical information of the traffic flowing to the destination IPaddress. The sending module 50 reports statistical data to thecontroller. The statistical data includes the statistical information ofthe traffic flowing to the destination IP address. The first packetforwarding device performs the traffic statistics collection on thetraffic flowing to the destination IP address, and reports thestatistical data to the controller such that the controller candetermine, based on the statistical data, whether a DDoS attack occurs,and trigger a corresponding DDoS prevention policy. This reduces impactof a DDoS attack on a network and improves network security.

Optionally, the traffic statistics collection instruction furthercarries the foregoing detection start time.

Further, when the packet forwarding device shown in FIG. 8 serves as asecond packet forwarding device, the packet forwarding device has thefollowing functions.

After the sending module 50 reports the statistical data to thecontroller, the receiving module 52 is further configured to receive aDDoS prevention policy sent by the controller.

The processing module 51 is further configured to perform, according tothe DDoS prevention policy received by the receiving module 52,prevention processing on the traffic flowing to the destination IPaddress.

According to the second packet forwarding device provided in thisembodiment, after the sending module 50 reports statistical data to acontroller, the receiving module 52 receives a DDoS prevention policysent by the controller, and the processing module 51 performs, accordingto the DDoS prevention policy received by the receiving module 52,prevention processing on traffic flowing to a destination IP address.This implements DDoS prevention on the traffic flowing to thedestination IP address, reduces impact of a DDoS attack on a network,and improves network security.

Further, corresponding to a mechanism used by the controller todetermine whether a network attack stops, corresponding functions on asecond packet forwarding device side are as follows.

After receiving the DDoS prevention policy sent by the controller, thereceiving module 52 is further configured to receive a preventioncancellation instruction message sent by the controller.

The processing module 51 is further configured to stop, according to theprevention cancellation instruction message received by the receivingmodule 52, performing prevention processing on the traffic flowing tothe destination IP address.

Optionally, the DDoS prevention policy includes any one of a black-holeroute response policy, a traffic limiting response policy, a ratelimiting response policy, a discarding response policy, a local cleaningresponse policy, or a dynamic diversion and cleaning response policy.

The black-hole route response policy is used to instruct the processingmodule 51 to perform, by configuring a black-hole route, packetdiscarding processing on the traffic flowing to the destination IPaddress.

The processing module 51 is further configured to perform, using ablack-hole route according to the black-hole route response policyreceived by the receiving module 52, packet discarding processing on thetraffic flowing to the destination IP address.

The traffic limiting response policy is used to instruct the processingmodule 51 to perform traffic limiting processing on the traffic flowingto the destination IP address.

The processing module 51 is further configured to perform, according tothe traffic limiting response policy received by the receiving module52, traffic limiting processing on the traffic flowing to thedestination IP address.

The rate limiting response policy is used to instruct the processingmodule 51 to perform rate limiting processing on the traffic flowing tothe destination IP address.

The processing module 51 is further configured to perform, according tothe rate limiting response policy received by the receiving module 52,rate limiting processing on the traffic flowing to the destination IPaddress.

The discarding response policy is used to instruct the processing module51 to perform packet discarding processing on the traffic flowing to thedestination IP address.

The processing module 51 is further configured to perform, according tothe discarding response policy received by the receiving module 52,packet discarding processing on the traffic flowing to the destinationIP address.

The local cleaning response policy is used to instruct the processingmodule 51 to locally perform cleaning processing on the traffic flowingto the destination IP address.

The processing module 51 is further configured to locally perform,according to the local cleaning response policy received by thereceiving module 52, cleaning processing on the traffic flowing to thedestination IP address.

The dynamic diversion and cleaning response policy is used to instructthe processing module 51 to send the traffic flowing to the destinationIP address to a cleaning device for cleaning processing.

The processing module 51 is further configured to instruct, according tothe dynamic diversion and cleaning response policy received by thereceiving module 52, the sending module 50 to send the traffic flowingto the destination IP address to the cleaning device for cleaningprocessing.

For the dynamic diversion and cleaning response policy, before thecontroller delivers the dynamic diversion and cleaning response policy,the controller needs to determine a path with minimum network impact todivert the traffic. The second packet forwarding device side has thefollowing corresponding functions.

Manner 1:

The dynamic diversion and cleaning response policy includes indicationinformation of the first diversion path. The indication information ofthe first diversion path is used to instruct to send, through a firstdiversion path, the traffic flowing to the destination IP address to thecleaning device for cleaning processing. The first diversion path is apath with a minimum load between the packet forwarding device and thecleaning device, and the first diversion path includes the second packetforwarding device and the cleaning device.

The processing module 51 is further configured to instruct, according tothe dynamic diversion and cleaning response policy received by thereceiving module 52, the sending module 50 to send, through the firstdiversion path, the traffic flowing to the destination IP address to thecleaning device for cleaning processing.

Manner 2:

The dynamic diversion and cleaning response policy includes indicationinformation of the second diversion path. The indication information ofthe second diversion path is used to instruct to send, through a seconddiversion path, the traffic flowing to the destination IP address to thecleaning device for cleaning processing. The second diversion path is ashortest path between the packet forwarding device and the cleaningdevice.

The processing module 51 is further configured to instruct, according tothe dynamic diversion and cleaning response policy received by thereceiving module 52, the sending module 50 to send, through the seconddiversion path, the traffic flowing to the destination IP address to thecleaning device for cleaning processing.

On a basis of FIG. 2 to FIG. 8, FIG. 9 is a schematic flowchart of anSDN-based DDoS attack prevention method according to an embodiment ofthe present disclosure. Referring to FIG. 9, the flowchart includes thefollowing steps (not shown).

Step 1: In general, data traffic flows along 1->4->5 to arrive at aserver.

Step 2: A controller identifies a packet forwarding device located on anSDN edge. When the controller executes a DDoS control program or anapplication on user equipment calls a DDoS control program, thecontroller delivers a traffic statistics collection instruction to thepacket forwarding device located on the SDN edge. The traffic statisticscollection instruction is used to instruct the packet forwarding deviceto perform traffic statistics collection. In this case, the packetforwarding device located on the SDN edge is a first packet forwardingdevice. Optionally, the controller may deliver the traffic statisticscollection instruction to all packet forwarding devices in the SDN.

Further, the traffic statistics collection instruction carries adestination IP address. The destination IP address is an IP address oran IP address segment of the server. The first packet forwarding devicestarts to perform, at a specific time and based on the trafficstatistics collection instruction, statistics collection on trafficflowing to the destination IP address, to obtain statistical data. Thestatistical data includes statistical information of the traffic flowingto the destination IP address. The controller may query the statisticaldata from the first packet forwarding device at the end of a statisticalperiod T. A process of delivering a policy and querying a statisticalresult by the controller is shown by, for example, a flow direction 3.

Step 3: After receiving the traffic statistics collection instruction,the first packet forwarding device creates a destination IP addressmonitoring table based on the destination IP address. The table is ahash table and includes all statistical items of the destination IPaddress. The first packet forwarding device performs, in eachstatistical period, statistics collection on traffic of a forwarded datapacket whose destination address is the destination IP address. At theend of the statistical period, the controller queries the statisticaldata from the first packet forwarding device. A process of reporting thestatistical data by the first packet forwarding device is shown by, forexample, a flow direction 2.

Step 4: The controller obtains, by means of searching, all statisticaldata of the first packet forwarding device in a detection period T. Thecontroller summarizes statistical information of the traffic flowing tothe destination IP address to obtain a statistical value of globaltraffic flowing to the destination IP address. Further, the controllermay perform an operation, for example, addition, on the statistical datato obtain the statistical value of the global traffic flowing to thedestination IP address. The controller compares the statistical value ofthe global traffic with a preset threshold. If the preset threshold isexceeded, it is considered that a network attack occurs. If thestatistical value of the global traffic is less than the presetthreshold in several successive periods, it is considered that a networkattack is eliminated.

Step 5: If a network attack occurs, the controller delivers a networkattack prevention policy, for example, a DDoS prevention policy, to asecond packet forwarding device.

Further, in step 5, the controller may determine a packet forwardingdevice closest to an attack source, and set the packet forwarding deviceclosest to the attack source as the second packet forwarding device.

Step 6: After receiving the DDoS prevention policy, the second packetforwarding device may perform, based on the DDoS prevention policy,black-hole routing, traffic limiting (rate limiting), discarding, localcleaning, dynamic diversion and cleaning, or the like. Local cleaningmeans that a packet forwarding device performs DDoS prevention cleaningprocessing on traffic conforming to the DDoS prevention policy. Dynamicdiversion and cleaning means that a packet forwarding device divertstraffic conforming to the DDoS prevention policy to a dedicated cleaningdevice for cleaning, and the cleaning device injects cleaned traffic tothe SDN.

Step 7: After the second packet forwarding device receives a preventioncancellation instruction message sent by the controller, a normaltraffic forwarding path is restored, diversion stops, and the cleaningdevice stops cleaning processing.

It should be noted that traffic statistics collection performed by thefirst packet forwarding device on the traffic flowing to the destinationIP address is implemented by means of pipeline processing in a procedurespecified in the OPENFLOW protocol. Further, first, the first packetforwarding device defines a destination IP address monitoring table as aflow table. When a destination IP address of specific traffic hits adestination IP address in the IP monitoring table, it is considered thatan entry in the flow table is hit. The first packet forwarding deviceextracts information about a data packet of the traffic, and updates astatistical result of the entry. Generally, a form of the statisticalresult is expressed as Statistical value of the first packet forwardingdevice=Original statistical value of the first packet forwardingdevice+Quantity of data packets. The first packet forwarding devicedetects, at the same time, whether a detection period expires. If thedetection period expires, the action item (action) is set as sending astatistical data log of the first packet forwarding device to thecontroller, and the statistical result temporarily stored in the firstpacket forwarding device is cleared, and a next statistical periodstarts.

The following describes the foregoing controller and packet forwardingdevice in the SDN using a specific embodiment.

FIG. 10 is a schematic flowchart of another SDN-based DDoS attackprevention method according to an embodiment of the present disclosure.The method is executed by the foregoing controller, and the controllermay use the structure shown in FIG. 4 or FIG. 7. Referring to FIG. 10,the method includes the following steps.

Step 100: The controller delivers a traffic statistics collectioninstruction to a first packet forwarding device, where the trafficstatistics collection instruction is used to instruct the first packetforwarding device to perform traffic statistics collection.

The traffic statistics collection instruction carries a destination IPaddress.

Step 101: The controller collects statistical data reported by the firstpacket forwarding device according to the traffic statistics collectioninstruction, where the statistical data includes statistical informationof traffic flowing to a destination IP address.

Step 102: The controller obtains, according to the statistical data, astatistical value of global traffic flowing to the destination IPaddress.

The statistical value of the global traffic indicates a statisticalvalue that is used to reflect traffic flowing to the destination IPaddress within a range of the SDN and that is obtained after thecontroller summarizes statistical data reported by at least two packetforwarding devices including the first packet forwarding device.

Step 103: The controller determines whether the statistical value of theglobal traffic exceeds a preset threshold.

Step 104: The controller delivers a DDoS prevention policy to a secondpacket forwarding device based on a determining result that thestatistical value of the global traffic exceeds the preset threshold.

According to the SDN-based DDoS attack prevention method provided inthis embodiment of the present disclosure, a controller delivers atraffic statistics collection instruction to a first packet forwardingdevice. The traffic statistics collection instruction is used toinstruct the first packet forwarding device to perform trafficstatistics collection, and the traffic statistics collection instructioncarries a destination IP address. The controller collects statisticaldata reported by the first packet forwarding device according to thetraffic statistics collection instruction. The statistical data includesstatistical information of traffic flowing to the destination IPaddress. The controller obtains, according to the statistical data, astatistical value of global traffic flowing to the destination IPaddress. The statistical value of the global traffic indicates astatistical value that is used to reflect traffic flowing to thedestination IP address within a range of the SDN and that is obtainedafter the controller summarizes statistical data reported by at leasttwo packet forwarding devices including the first packet forwardingdevice. The controller determines whether the statistical value of theglobal traffic exceeds a preset threshold, and delivers a DDoSprevention policy to a second packet forwarding device based on adetermining result that the statistical value of the global trafficexceeds the preset threshold. This reduces impact of a DDoS attack on anetwork and improves network security.

Optionally, the traffic statistics collection instruction furthercarries a detection start time.

The detection start time is used to notify the first packet forwardingdevice of a start time of the traffic statistics collection, the trafficstatistics collection is continuously performed by the first packetforwarding device according to a detection period, and the statisticaldata is reported by the first packet forwarding device to the controlleraccording to the detection period.

Further, the controller needs a mechanism used to determine whether anetwork attack stops. Further, on a basis of FIG. 10, FIG. 11 is aschematic flowchart of another SDN-based DDoS attack prevention methodaccording to this embodiment of the present disclosure. Referring toFIG. 11, after step 104, the method further includes the followingsteps.

Step 105: The controller determines that the statistical value of theglobal traffic does not exceed the preset threshold in at least twosuccessive detection periods.

Step 106: The controller delivers a prevention cancellation instructionmessage to the second packet forwarding device.

The prevention cancellation instruction message is used to instruct thesecond packet forwarding device to stop executing the DDoS preventionpolicy.

Optionally, the controller may further deliver the DDoS preventionpolicy to a packet forwarding device that is close to an attack sourceand that is located on an SDN edge. Further, on a basis of FIG. 10, FIG.12 is a schematic flowchart of another SDN-based DDoS attack preventionmethod according to this embodiment of the present disclosure. Referringto FIG. 12, before step 104, the method further includes the followingstep.

Step 107: The controller determines, according to the statistical data,a packet forwarding device closest to an attack source on an attackpath, and uses the packet forwarding device closest to the attack sourceas the second packet forwarding device.

Further, the statistical information of the traffic flowing to thedestination IP address includes a volume of the traffic flowing from thefirst packet forwarding device to the destination IP address. A possibleimplementation of step 107 is as follows.

The controller determines a first attack path according to the volume ofthe traffic flowing from the first packet forwarding device to thedestination IP address.

The first attack path is an attack path, of at least one attack path,with a maximum volume of traffic flowing to the destination IP address.

The controller determines, according to the first attack path, thepacket forwarding device closest to the attack source.

The packet forwarding device closest to the attack source is located onan SDN edge that is on the first attack path and that is on a side of asource address of the traffic flowing to the destination IP address.

The following further describes Manner 1 that “the controllerdetermines, according to the statistical data, a packet forwardingdevice closest to an attack source on an attack path.” FIG. 13 is aschematic diagram of determining an attack path and a closest attacksource. Referring to FIG. 13, an SDN includes packet forwarding devicesA to G, and a controller. The packet forwarding device A is connected toan Internet service provider (ISP) network 1. An attack source of anetwork attack is in the ISP network 1. The packet forwarding device Bis connected to an ISP network 2. The packet forwarding device F isconnected to an ISP network 3. The packet forwarding device E isconnected to a network to which a destination IP (for exampleIP=10.0.0.1) belongs. The destination IP is a destination IP address ofnetwork attack traffic, that is, an IP address of a victim host. Thepacket forwarding device A, the packet forwarding device B, the packetforwarding device E, and the packet forwarding device F are used byother networks to access the SDN, and therefore these packet forwardingdevices are located on an SDN edge.

Referring to FIG. 13, first, the controller determines, according to anSDN topological relationship, the packet forwarding device E closest tothe destination IP address and the foregoing several packet forwardingdevices that are located on the SDN edge. In the SDN, there may bemultiple paths for the network attack traffic to flow from the attacksource to the destination IP address. For example, the traffic path maybe: the packet forwarding device A→the packet forwarding device G→thepacket forwarding device E, which is briefly referred to as a firstattack path hereinafter, the packet forwarding device A→the packetforwarding device F→the packet forwarding device E, which is brieflyreferred to as a second attack path hereinafter, or the packetforwarding device A→the packet forwarding device B the packet forwardingdevice G→the packet forwarding device E, which is briefly referred to asa third attack path hereinafter. The controller collects statisticaldata of traffic flowing to the destination IP address on each attackpath, and the controller sorts the traffic flowing to the destination IPaddress on each attack path, and determines that the first attack pathis an attack path with the largest traffic. Then, the controllerdetermines that the packet forwarding device A is closest to the attacksource.

Still referring to FIG. 13, the following describes the first packetforwarding device and the second packet forwarding device. After thecontroller delivers a traffic statistics collection instruction to thefirst packet forwarding device, the first packet forwarding deviceperforms traffic statistics collection according to the trafficstatistics collection instruction. For the packet forwarding devices inFIG. 13, all of the packet forwarding devices A to G may perform trafficstatistics collection, and therefore all of the packet forwardingdevices A to G may be used as the first packet forwarding device.Further, after the controller determines that the packet forwardingdevice A is closest to the attack source, the controller delivers a DDoSprevention policy to the packet forwarding device A, and uses the packetforwarding device A as the second packet forwarding device.Alternatively, the network attack traffic flowing to the destination IPaddress may pass through the packet forwarding devices A, B, and Fseparately, and the controller may separately deliver a DDoS preventionpolicy to the packet forwarding devices A, B, and F, and set the packetforwarding devices A, B, and F as the second packet forwarding device.

Optionally, the DDoS prevention policy includes any one of a black-holeroute response policy, a traffic limiting response policy, a ratelimiting response policy, a discarding response policy, a local cleaningresponse policy, or a dynamic diversion and cleaning response policy.

The black-hole route response policy is used to instruct the secondpacket forwarding device to perform, by configuring a black-hole route,packet discarding processing on the traffic flowing to the destinationIP address.

The traffic limiting response policy is used to instruct the secondpacket forwarding device to perform traffic limiting processing on thetraffic flowing to the destination IP address.

The rate limiting response policy is used to instruct the second packetforwarding device to perform rate limiting processing on the trafficflowing to the destination IP address.

The discarding response policy is used to instruct the second packetforwarding device to perform packet discarding processing on the trafficflowing to the destination IP address.

The local cleaning response policy is used to instruct the second packetforwarding device to locally perform cleaning processing on the trafficflowing to the destination IP address.

The dynamic diversion and cleaning response policy is used to instructthe second packet forwarding device to send the traffic flowing to thedestination IP address to a cleaning device for cleaning processing.

For the dynamic diversion and cleaning response policy, before thecontroller delivers the dynamic diversion and cleaning response policy,the controller needs to determine a path with minimum network impact todivert the traffic. The following describes several possibleimplementations.

Manner 1: On a basis of FIG. 10, FIG. 14 is a schematic flowchart ofanother SDN-based DDoS attack prevention method according to thisembodiment of the present disclosure. Referring to FIG. 14, thestatistical data further includes a load value of the first packetforwarding device.

Further, before step 104, the method further includes the followingstep.

Step 108: The controller determines a first diversion path according tothe load value of the first packet forwarding device.

The first diversion path is a path with a minimum load between thesecond packet forwarding device and the cleaning device, and the firstdiversion path includes the second packet forwarding device and thecleaning device.

The DDoS prevention policy delivered by the controller to the secondpacket forwarding device is the dynamic diversion and cleaning responsepolicy.

Further, the dynamic diversion and cleaning response policy includesindication information of the first diversion path. The indicationinformation of the first diversion path is used to instruct the secondpacket forwarding device to send, through the first diversion path, thetraffic flowing to the destination IP address to the cleaning device forcleaning processing.

Manner 2: On a basis of FIG. 10, FIG. 15 is a schematic flowchart ofanother SDN-based DDoS attack prevention method according to thisembodiment of the present disclosure. Referring to FIG. 15, before step104, the method further includes the following step.

Step 109: The controller determines a second diversion path according toan SDN topological relationship.

Further, the second diversion path is a shortest path between the secondpacket forwarding device and the cleaning device, and the SDNtopological relationship includes a connection relationship between thepacket forwarding devices in the SDN and a connection relationshipbetween one or more packet forwarding devices and the cleaning device.

The DDoS prevention policy delivered by the controller to the secondpacket forwarding device is the dynamic diversion and cleaning responsepolicy.

Further, the dynamic diversion and cleaning response policy includesindication information of the second diversion path. The indicationinformation of the second diversion path is used to instruct the secondpacket forwarding device to send, through the second diversion path, thetraffic flowing to the destination IP address to the cleaning device forcleaning processing.

Referring the FIG. 13, the “first diversion path” in Manner 1 isdescribed. For example, it is assumed that the packet forwarding deviceF receives the traffic statistics collection instruction sent by thecontroller. The packet forwarding device F serves as the first packetforwarding device to perform traffic statistics collection, and reportsthe statistical data to the controller. If the controller delivers thedynamic diversion and cleaning response policy to the packet forwardingdevice F, the packet forwarding device F serves as the second packetforwarding device to perform the dynamic diversion and cleaning responsepolicy. The packet forwarding device F is connected to the cleaningdevice. The dynamic diversion and cleaning response policy includes theindication information of the first diversion path, and the indicationinformation of the first diversion path is used to instruct the packetforwarding device F to send, through the first diversion path, thetraffic flowing to the destination IP address to the cleaning device forcleaning processing. The packet forwarding device F is directlyconnected to the cleaning device. Therefore, a diversion path betweenthe packet forwarding device F and the cleaning device is obviously apath with a minimum load between the packet forwarding device F and thecleaning device, and the first diversion path includes the packetforwarding device F and the cleaning device.

For another example, it is assumed that the cleaning device is connectedto the packet forwarding device D. If the controller delivers thedynamic diversion and cleaning response policy to the packet forwardingdevice F, the packet forwarding device F serves as the second packetforwarding device to perform the dynamic diversion and cleaning responsepolicy. In this case, there may be multiple possible diversion paths fordiverting traffic from the packet forwarding device F to the cleaningdevice, for example, F-E-G-D-cleaning device, and F-A-G-D-cleaningdevice. Different diversion paths have different loads. The controllerdetermines the first diversion path based on the statistical datareported when the packet forwarding device in the foregoing path servesas the first packet forwarding device. For example, if F-E-G-D-cleaningdevice has the minimum load, the first diversion path includes thepacket forwarding devices F, E, G, and D, and the cleaning device.

It should be noted that the steps shown in FIG. 14 and FIG. 15 may beimplemented in combination with the steps shown in FIG. 10, or may beimplemented in combination with the steps shown in FIG. 11 and FIG. 12.

Corresponding to the foregoing embodiment on a controller side, thefollowing describes the method procedure on a packet forwarding deviceside.

FIG. 16 is a schematic flowchart of another SDN-based DDoS attackprevention method according to this embodiment of the presentdisclosure. The method is applied to an SDN system. The SDN systemincludes a controller and a packet forwarding device. The method isexecuted by the packet forwarding device. The packet forwarding devicemay use the structure shown in FIG. 5 or FIG. 8. Referring to FIG. 16,the method includes the following steps.

Step 200: Receive a traffic statistics collection instruction sent bythe controller, where the traffic statistics collection instruction isused to instruct the packet forwarding device to perform trafficstatistics collection.

The traffic statistics collection instruction carries a destination IPaddress.

Step 201: Collect, according to the traffic statistics collectioninstruction, statistical information of traffic flowing to thedestination IP address.

Step 202: Report statistical data to the controller, where thestatistical data includes the statistical information of the trafficflowing to the destination IP address.

According to the SDN-based DDoS attack prevention method provided inthis embodiment of the present disclosure, a packet forwarding devicereceives a traffic statistics collection instruction sent by acontroller. The traffic statistics collection instruction is used toinstruct the packet forwarding device to perform traffic statisticscollection. The traffic statistics collection instruction carries adestination IP address. The packet forwarding device collects, accordingto the traffic statistics collection instruction, statisticalinformation of traffic flowing to the destination IP address. The packetforwarding device reports statistical data to the controller. Thestatistical data includes the statistical information of the trafficflowing to the destination IP address. The packet forwarding deviceperforms the traffic statistics collection on the traffic flowing to thedestination IP address, and reports the statistical data to thecontroller such that the controller can determine, based on thestatistical data, whether a DDoS attack occurs, and trigger acorresponding DDoS prevention policy. This reduces impact of a DDoSattack on a network and improves network security.

It should be noted that the packet forwarding device performing theforegoing step 200 to step 202 may be defined as the foregoing firstpacket forwarding device according to a function of the packetforwarding device.

Optionally, the traffic statistics collection instruction furthercarries a detection start time.

The detection start time is used to notify the packet forwarding deviceof a start time of the traffic statistics collection, the trafficstatistics collection is continuously performed according to a detectionperiod, and the statistical data is reported to the controller accordingto the detection period.

Further, when the controller executes a mechanism used to determinewhether a network attack stops, further, on a basis of FIG. 16, FIG. 17is a schematic flowchart of another SDN-based DDoS attack preventionmethod according to this embodiment of the present disclosure. Afterstep 202, the method further includes the following steps.

Step 203: Receive a DDoS prevention policy sent by the controller.

Step 204: Perform, according to the DDoS prevention policy, preventionprocessing on the traffic flowing to the destination IP address.

On a basis of FIG. 17, FIG. 18 is a schematic flowchart of anotherSDN-based DDoS attack prevention method according to this embodiment ofthe present disclosure. After step 204, the method further includes thefollowing steps.

Step 205: Receive a prevention cancellation instruction message sent bythe controller, where the prevention cancellation instruction message isused to instruct the packet forwarding device to stop executing the DDoSprevention policy.

Step 206: Stop, according to the prevention cancellation instructionmessage, performing prevention processing on the traffic flowing to thedestination IP address.

Optionally, the DDoS prevention policy includes any one of a black-holeroute response policy, a traffic limiting response policy, a ratelimiting response policy, a discarding response policy, a local cleaningresponse policy, or a dynamic diversion and cleaning response policy.

The black-hole route response policy is used to instruct the packetforwarding device to perform, by configuring a black-hole route, packetdiscarding processing on the traffic flowing to the destination IPaddress.

In this case, a possible implementation of step 204 includes performing,using the black-hole route according to the black-hole route responsepolicy, packet discarding processing on the traffic flowing to thedestination IP address.

The traffic limiting response policy is used to instruct the packetforwarding device to perform traffic limiting processing on the trafficflowing to the destination IP address.

In this case, a possible implementation of step 204 includes performing,according to the traffic limiting response policy, traffic limitingprocessing on the traffic flowing to the destination IP address.

The rate limiting response policy is used to instruct the packetforwarding device to perform rate limiting processing on the trafficflowing to the destination IP address.

In this case, a possible implementation of step 204 includes performing,according to the rate limiting response policy, rate limiting processingon the traffic flowing to the destination IP address.

The discarding response policy is used to instruct the packet forwardingdevice to perform packet discarding processing on the traffic flowing tothe destination IP address.

In this case, a possible implementation of step 204 includes performing,according to the discarding response policy, packet discardingprocessing on the traffic flowing to the destination IP address.

The local cleaning response policy is used to instruct the packetforwarding device to locally perform cleaning processing on the trafficflowing to the destination IP address.

In this case, a possible implementation of step 204 includes locallyperforming, according to the local cleaning response policy, cleaningprocessing on the traffic flowing to the destination IP address.

The dynamic diversion and cleaning response policy is used to instructthe packet forwarding device to send the traffic flowing to thedestination IP address to a cleaning device for cleaning processing.

In this case, a possible implementation of step 204 includes sending,according to the dynamic diversion and cleaning response policy, thetraffic flowing to the destination IP address to the cleaning device forcleaning processing.

For the dynamic diversion and cleaning response policy, before thecontroller delivers the dynamic diversion and cleaning response policy,the controller needs to determine a path with minimum network impact todivert the traffic. To implement the solution, on the controller side,in which diversion is performed based on the path with the minimumnetwork impact, the following describes a method procedure that needs tobe performed by the packet forwarding device.

Manner 1:

The statistical data further includes a load value of the first packetforwarding device.

The dynamic diversion and cleaning response policy includes indicationinformation of the first diversion path. The indication information ofthe first diversion path is used to instruct the packet forwardingdevice to send, through the first diversion path, the traffic flowing tothe destination IP address to the cleaning device for cleaningprocessing. The first diversion path is a path with a minimum loadbetween the packet forwarding device and the cleaning device. The firstdiversion path includes the second packet forwarding device and thecleaning device.

A possible implementation of step 204 includes sending, through thefirst diversion path according to the dynamic diversion and cleaningresponse policy, the traffic flowing to the destination IP address tothe cleaning device for cleaning processing.

Manner 2:

The dynamic diversion and cleaning response policy includes indicationinformation of the second diversion path. The indication information ofthe second diversion path is used to instruct the packet forwardingdevice to send, through a second diversion path, the traffic flowing tothe destination IP address to the cleaning device for cleaningprocessing. The second diversion path is a shortest path between thepacket forwarding device and the cleaning device.

A possible implementation of step 204 includes sending, through thesecond diversion path according to the dynamic diversion and cleaningresponse policy, the traffic flowing to the destination IP address tothe cleaning device for cleaning processing.

The following provides a possible processing manner for a local cleaninginstruction. FIG. 19 is a schematic flowchart of local cleaningprocessing. Referring to FIG. 19, the flowchart includes a processingprocess for classifying data packets.

Step 300: Determine whether a data packet conforms to the TCP.

If the data packet conforms to the TCP protocol, perform step 301. Ifthe data packet does not conform to the TCP protocol, perform step 308.Further “Yes” designated with “Y” and the “No” designated with “N” inFIG. 19.

Step 301: Determine whether the data packet is a Hyper Text TransferProtocol (HTTP) packet.

If the data packet is an HTTP packet, use an HTTP packet processingfunction to perform cleaning processing on the data packet. If the datapacket is not an HTTP packet, perform step 302.

Step 302: Determine whether the data packet is a domain name system(DNS) packet.

If the data packet is a DNS packet, use a DNS packet processing functionto perform cleaning processing on the data packet. If the data packet isnot a DNS packet, perform step 303.

Step 303: Determine whether the data packet is a TCP fragmented packet.

If the data packet is a TCP fragmented packet, use a TCP fragmentedpacket processing function to perform cleaning processing on the datapacket. If the data packet is not a TCP fragmented packet, perform step304.

Step 304: Determine whether the data packet is a SYN packet.

If the data packet is a SYN packet, use a SYN packet processing functionto perform cleaning processing on the data packet. If the data packet isnot a SYN packet, perform step 305.

Step 305: Determine whether the data packet is an acknowledgement (ACK)packet.

If the data packet is an ACK packet, use an ACK packet processingfunction to perform cleaning processing on the data packet. If the datapacket is not an ACK packet, perform step 306.

Step 306: Determine whether the data packet is a SYN-ACK packet.

If the data packet is a SYN-ACK packet, use a SYN-ACK packet processingfunction to perform cleaning processing on the data packet. If the datapacket is not a SYN-ACK packet, perform step 307.

Step 307: Determine whether the data packet is a reset (RST) packet.

If the data packet is an RST packet, use a RST packet processingfunction to perform cleaning processing on the data packet. If the datapacket is not an RST packet, return to the previous step.

Step 308: Determine whether the data packet conforms to the UDPprotocol.

If the data packet conforms to the UDP protocol, perform step 309. Ifthe data packet does not conform to the UDP protocol, return to theprevious step.

Step 309: Determine whether the data packet is a DNS query packet.

If the data packet is a DNS query packet, use a query packet processingfunction to perform cleaning processing on the data packet. If the datapacket is not a DNS query packet, perform step 310.

Step 310: Determine whether the data packet is a DNS response packet.

If the data packet is a DNS response packet, use a DNS response packetprocessing function to perform cleaning processing on the data packet.If the data packet is not a DNS response packet, perform step 311.

Step 311: Determine whether the data packet is a Session InitiationProtocol (SIP) packet.

If the data packet is a SIP packet, use a SIP packet processing functionto perform cleaning processing on the data packet. If the data packet isnot a SIP packet, perform step 312.

Step 312: Determine whether the data packet is a UDP fragmented packet.

If the data packet is a UDP fragmented packet, use a UDP fragmentedpacket processing function to perform cleaning processing on the datapacket. Otherwise, a UDP packet processing function is used to performcleaning processing on the data packet.

It should be noted that the solution shown in FIG. 19 is only onepossible implementation solution. Another processing procedure that canimplement local cleaning is not limited in this embodiment.

It should be noted that the packet forwarding device performingforegoing step 203 to step 206 may be defined as the foregoing secondpacket forwarding device according to a function of the packetforwarding device.

For the procedure performed by the controller in the embodimentcorresponding to FIG. 10 to FIG. 15 and the procedure performed by thepacket forwarding device in the embodiment corresponding to FIG. 16 toFIG. 19, the following uses a specific embodiment to describeinteraction between the controller and the packet forwarding device.FIG. 20 is a schematic diagram of an interaction procedure of anSDN-based DDoS attack prevention method according to an embodiment ofthe present disclosure. Referring to FIG. 20, the interaction procedureincludes the following steps.

Step 400: The controller delivers a traffic statistics collectioninstruction to a first packet forwarding device.

Step 401: The first packet forwarding device collects, according to thetraffic statistics collection instruction, statistical information oftraffic flowing to a destination IP address.

Step 402: The controller receives statistical data sent by the firstpacket forwarding device.

Step 403: The controller obtains, according to the statistical data, astatistical value of global traffic flowing to the destination IPaddress.

Step 404: The controller determines whether the statistical value of theglobal traffic exceeds a preset threshold.

Step 405: The controller delivers a DDoS prevention policy to a secondpacket forwarding device based on a determining result that thestatistical value of the global traffic exceeds the preset threshold.

Step 406: The second packet forwarding device performs, according to theDDoS prevention policy, prevention processing on the traffic flowing tothe destination IP address.

Step 407: The controller determines that the statistical value of theglobal traffic does not exceed the preset threshold in at least twosuccessive detection periods.

Step 408: The controller delivers a prevention cancellation instructionmessage to the second packet forwarding device.

Step 409: The second packet forwarding device stops, according to theprevention cancellation instruction message, performing preventionprocessing on the traffic flowing to the destination IP address.

The following uses a specific embodiment to describe interaction betweena controller and a packet forwarding device. FIG. 21 is a schematicdiagram of interaction in another SDN-based DDoS attack preventionmethod according to an embodiment of the present disclosure. Referringto FIG. 21, the interaction includes the following steps.

Step 500: The controller delivers a traffic statistics collectioninstruction to the packet forwarding device.

Step 501: The packet forwarding device sends a traffic statisticscollection instruction acknowledgement message to the controller.

Step 502: The packet forwarding device creates a destination IP addressmonitoring table to monitor traffic.

Step 503: The controller periodically delivers a query message.

It should be noted that step 503 may alternatively be: The packetforwarding device periodically and proactively reports statistical data.

Step 504: The packet forwarding device sends an acknowledgement messageto the controller. The acknowledge message includes statistical data.

Step 505: The controller periodically summarizes statistical informationof traffic monitored based on a destination IP address, and determineswhether a specified threshold is exceeded, and if the specifiedthreshold is exceeded, determines that a DDoS attack start state isentered, and if the specified threshold is not exceeded, continuesmonitoring.

Enter the DDoS attack start state, and the controller finds, accordingto a monitoring result, a packet forwarding device that is closest to anattack source.

Step 506: The controller delivers a DDoS prevention policy.

Step 507: The packet forwarding device sends a DDoS prevention policyresponse message to the controller.

Step 508: The packet forwarding device starts a prevention action.

Step 509: Enter the DDoS attack start state, and after multiple periods,the controller learns that traffic restores to normal, determines thatan attack end state is entered, and continues to monitor traffic.

Enter the attack end state.

Step 510: The controller delivers a prevention cancellation instructionmessage to the packet forwarding device that makes a response.

Step 511: The packet forwarding device sends a prevention cancellationinstruction response message to the controller.

The following provides a specific implementation for a message,signaling, and an information element in the interaction in FIG. 20 orFIG. 21.

The packet forwarding device creates the destination IP addressmonitoring table (ddos-group table) that is based on the foregoingdestination IP address. The table is a hash table. If in anestablishment algorithm, a specified destination IP address is used tohit a destination IP address of a traffic data packet, it is consideredthat the table is hit, and the packet forwarding device may performtraffic statistics collection.

In a possible implementation of the statistical information of thetraffic flowing to the destination IP address, fields included in thestatistical information of the traffic may include the information of atotal quantity of packets (ULONG ulPacketSum), a total quantity of bytes(ULONG ulByteSum), a packet rate (ULONG ulICMPPktRate), ICMP bandwidth(ULONG ulICMPBand), a TCP packet rate (ULONG ulTcpPktRate), TCPbandwidth (ULONG ulTcpBand), a UDP packet rate (ULONG ulUdpPktRate), andUDP bandwidth (ULONG ulUdpBand).

Optionally, for all types of TCP packets, a field included in thestatistical information of the traffic may include at least one type ofthe following information: a SYN packet rate (ULONG ulSynPktRate), SYNpacket bandwidth (ULONG ulSynBand), an ACK packet rate (ULONGulAckPktRate), ACK packet bandwidth (ULONG ulAckBand), a SYN/ACK packetrate (ULONG ulSynAckPktRate), SYN/ACK packet bandwidth (ULONGulSynAckBand), a FIN packet rate (ULONG ulFinPktRate), FIN packetbandwidth (ULONG ulFinBand), an RST packet rate (ULONG ulRstPktRate),RST packet bandwidth (ULONG ulRstBand), an error packet rate (ULONGulErrPktRate), error packet bandwidth (ULONG ulErrBand), a fragmentedpacket rate (ULONG ulFragPktRate), fragmented packet bandwidth (ULONGulFragBand), an HTTP GET packet rate (ULONG ulHttpGetPktRate), HTTP GETpacket bandwidth (ULONG ulHttpGetBand), a DNS packet rate (ULONGulDnsByteNum), DNS packet bandwidth (ULONG ulDnsBand), and a quantity offlows (ULONG ulFlowCnt).

In addition, the foregoing statistical data further includes a loadvalue of the first packet forwarding device. Further, an implementationof the load value of the first packet forwarding device may be athroughput of the first packet forwarding device, or bandwidth usage ofthe first packet forwarding device, or the like. Further, the load valueof the first packet forwarding device may be set in a field in thestatistical information of the traffic, or may be set in an idle fieldin the statistical data.

The following provides a possible implementation of a message exchangedbetween the controller and the packet forwarding device

The controller sends a traffic statistics collection instruction to thepacket forwarding device. Correspondingly, the packet forwarding devicesends a traffic statistics collection instruction acknowledgementmessage to the controller. Based on the OPENFLOW protocol, theseexchanged messages may be in the following data structure:

   struct ofp_ddos_config {  struct ofp_header header; /* TypeOFPT_ROLE_REQUEST/   OFPT_ROLE_REPLY. */  uint32_t dstip[4];/*destination IP address*/  uint32_t netoff[4]; /*subnet mask*/ uint64_t stat ctrl; /*statistics collection enablement, enabled ordisabled*/  uint64_t stat_tics; /* statistical period, seconds*/ uint64_t stat_fun; /*statistics collection sub-function switch, enabledby bit*/ };

Further, the exchanged messages using the data structure may carry amessage type field (Type OFPT_ROLE_REQUEST/OFPT_ROLE_REPLY), destinationIP address field, subnet mask field, statistics collection enablementfield, statistical period field, and statistics collection sub-functionswitch field.

The destination IP address field occupies four bytes. The subnet maskfield occupies four bytes. The statistics collection enablement fieldoccupies eight bytes, and is used to instruct to enable trafficstatistics collection or disable traffic statistics collection. Thestatistical period field occupies eight bytes, and is used to indicate atraffic statistics collection period, a time unit of the statisticalperiod field may be seconds or another time unit meeting an SDNrequirement. The statistics collection sub-function switch fieldoccupies eight bytes, and is used to instruct to enable or disable, bybit, a function related to traffic statistics collection.

The controller collects statistical data reported by the packetforwarding device according to the traffic statistics collectioninstruction. Further, the controller may send a query message to thepacket forwarding device, and receive an acknowledgement message sent bythe packet forwarding device. The acknowledgement message includes thestatistical data. Based on the OPENFLOW protocol, the query message andthe acknowledgement message may be in the following data structure:

 struct ofp_ddos report {  struct ofp_header header; /*Type OFPT_ROLEREQUEST/OFPT_ROLE_REPLY. */  uint32_t dstip[4]; /*destination IPaddress*/  uint32_t netoff[4]; /*subnet mask*/  uint64_t stat_tics;/*statistical period, seconds*/  uint32_t stat_times; /*quantity ofperiods that have been counted and reported up to now*/  structofp_ddos_stat statdata; /*summarization of statistical  information oftraffic*/  };

Further, the query message and the acknowledgement message that use thedata structure carry a message type field (TypeOFPT_ROLE_REQUEST/OFPT_ROLE_REPLY), destination IP address field, subnetmask field, statistical period field, field of quantity of periods thathave been counted and reported up to now, and summarization field ofstatistical information of traffic.

The destination IP address field occupies four bytes. The subnet maskfield occupies four bytes. The statistical period field occupies eightbytes, and is used to indicate a traffic statistics collection period, atime unit of the statistical period field may be seconds or another timeunit meeting an SDN requirement. The field of the quantity of periodsthat have been counted and reported up to now occupies four bytes. Thesummarization of the statistical information of the traffic includesstatistical items included in the packet forwarding device, and eachstatistical item is included in the data structure in forms of astatistics variable name and a statistical variable value.

After determining that a network attack occurs, the controller deliversa DDoS prevention policy to the packet forwarding device, the packetforwarding device sends a DDoS prevention policy response message to thecontroller. After the network attack stops, the controller delivers aprevention cancellation instruction message to the packet forwardingdevice, and the packet forwarding device sends a prevention cancellationinstruction response message to the controller. Based on the OPENFLOWprotocol, these exchanged messages may be in the following datastructure:

 struct ofp_ddos action {  struct ofp_header header; /*TypeOFPT_ROLE_REQUEST/OFPT_ROLE_REPLY. */  uint32_t dstip[4]; /*destinationIP address*/  uint32_t netoff[4]; /*subnet mask*/  uint64_t action flag; /*action enablement, enabled or disabled*/  uint64_t action type; /*response action type*/  struct ofp_ddos action_param  actionparam;/*response action parameter set*/  };

Further, the exchanged messages using the data structure carry a messagetype field (Type OFPT_ROLE_REQUEST/OFPT_ROLE_REPLY), a destination IPaddress field, a subnet mask field, action enablement field, a responseaction type field, and a response action parameter set field.

The destination IP address field occupies four bytes. The subnet maskfield occupies four bytes. The action enablement field occupies eightbytes, and is used to indicate that an action is in an “enabled” or“disabled” state. The response action type field occupies eight bytes,and includes black-hole route, traffic limiting (rate limiting),discarding, local cleaning, and diversion and cleaning. The responseaction parameter set includes a parameter related to a specific responseaction.

Persons of ordinary skill in the art may understand that all or some ofthe steps of the method embodiments may be implemented by a programinstructing relevant hardware. The program may be stored in acomputer-readable storage medium. When the program runs, the steps ofthe method embodiments are performed. The foregoing storage mediumincludes any medium that can store program code, such as a read-onlymemory (ROM), a random access memory (RAM), a magnetic disk, or anoptical disc.

Finally, it should be noted that the foregoing embodiments are merelyintended for describing the technical solutions of the presentdisclosure, but not for limiting the present disclosure. Although thepresent disclosure is described in detail with reference to theforegoing embodiments, persons of ordinary skill in the art shouldunderstand that they may still make modifications to the technicalsolutions described in the foregoing embodiments or make equivalentreplacements to some or all technical features thereof, withoutdeparting from the scope of the technical solutions of the embodimentsof the present disclosure.

What is claimed is:
 1. An attack prevention method, comprising:delivering, by a controller, a plurality of traffic statisticscollection instructions respectively to a plurality of forwardingdevices, wherein each of the plurality of traffic statistics collectioninstructions is used by a packet forwarding device of the plurality offorwarding devices to perform traffic statistics collection based on adestination Internet Protocol (IP) address, and wherein each of thetraffic statistics collection instruction includes the destination IPaddress; collecting, by the controller, pieces of statistical datarespectively reported by the plurality of forwarding devices, wherein afirst piece of the statistical data comprises statistical information oftraffic flowing to the destination IP address through a first forwardingdevice reporting the first piece of the statistical data; obtaining, bythe controller, based on the pieces of statistical data respectivelyreported by the plurality of forwarding devices, a statistical value,wherein the statistical value reflects traffic flowing to, via theplurality of packet forwarding devices, the destination IP address; anddelivering, by the controller, a prevention policy to a second packetforwarding device when the statistical value exceeds a preset threshold.2. The method according to claim 1, wherein the traffic statisticscollection instruction further includes a detection start time, andwherein the detection start time indicates a start time of the trafficstatistics collection.
 3. The method according to claim 2, wherein thetraffic statistics collection is continuously performed by the pluralityof packet forwarding devices according to a detection period, the piecesof statistical data are reported by the plurality of packet forwardingdevices to the controller according to the detection period, and thestatistical value is updated by the controller based on pieces ofstatistical data continuously reported according to the detectionperiod, the method further comprising: determining, by the controller,that the statistical value does not exceed the preset threshold in atleast two successive detection periods; and delivering, by thecontroller, a prevention cancellation instruction message to the secondpacket forwarding device, and wherein the prevention cancellationinstruction message instructs the second packet forwarding device tostop executing the prevention policy.
 4. The method according to claim1, wherein before delivering the prevention policy to the second packetforwarding device, the method further comprises: determining, by thecontroller according to the pieces of statistical data respectivelyreported by the plurality of forwarding devices, a packet forwardingdevice closest to an attack source on an attack path; and setting, bythe controller, the packet forwarding device closest to the attacksource as the second packet forwarding device.
 5. The method accordingto claim 4, wherein the first piece of the statistical informationcomprises a volume of traffic flowing from the first packet forwardingdevice to the destination IP address, and wherein determining a packetforwarding device closest to an attack source on an attack pathcomprises: determining, by the controller, a first attack path accordingto the volume of the traffic flowing from each of the plurality ofpacket forwarding devices to the destination IP address, wherein thefirst attack path is an attack path, of at least one attack path, with amaximum volume of the traffic flowing to the destination IP address; anddetermining, by the controller according to the first attack path, thatthe packet forwarding device closest to the attack source is located ona software defined networking (SDN) edge on the first attack path and ona side of a source address of the traffic flowing to the destination IPaddress.
 6. The method according to claim 1, wherein the preventionpolicy comprises any one of: a black-hole route response policyinstructing the second packet forwarding device to perform, byconfiguring a black-hole route, packet discarding process on the trafficflowing to the destination IP address; a traffic limiting responsepolicy instructing the second packet forwarding device to performtraffic limiting process on the traffic flowing to the destination IPaddress; a rate limiting response policy instructing the second packetforwarding device to perform rate limiting process on the trafficflowing to the destination IP address; a discarding response policyinstructing the second packet forwarding device to perform the packetdiscarding process on the traffic flowing to the destination IP address;a local cleaning response policy instructing the second packetforwarding device to locally perform cleaning process on the trafficflowing to the destination IP address; or a dynamic diversion andcleaning response policy instructing the second packet forwarding deviceto send the traffic flowing to the destination IP address to a cleaningdevice for the cleaning process.
 7. The method according to claim 6,wherein the first piece of statistical data further comprises a loadvalue of the first packet forwarding device, wherein before thecontroller delivers the prevention policy to the second packetforwarding device, the method further comprises determining, by thecontroller, a first diversion path according to load value of each ofthe plurality of packet forwarding device, wherein the first diversionpath is a path with a minimum load between the second packet forwardingdevice and the cleaning device, wherein the first diversion path goesthrough the second packet forwarding device and the cleaning device,wherein the prevention policy delivered by the controller to the secondpacket forwarding device is the dynamic diversion and cleaning responsepolicy, wherein the dynamic diversion and cleaning response policycomprises indication information of the first diversion path, andwherein the indication information of the first diversion path instructsthe second packet forwarding device to send, through the first diversionpath, the traffic flowing to the destination IP address to the cleaningdevice for the cleaning process.
 8. The method according to claim 6,wherein before the controller delivers the prevention policy to thesecond packet forwarding device, the method further comprisesdetermining, by the controller, a second diversion path according to anSDN topological relationship, wherein the second diversion path is ashortest path between the second packet forwarding device and thecleaning device, wherein the SDN topological relationship comprises aconnection relationship between packet forwarding devices in an SDN anda connection relationship between one or more packet forwarding devicesand the cleaning device, wherein the prevention policy delivered by thecontroller to the second packet forwarding device is the dynamicdiversion and cleaning response policy, wherein the dynamic diversionand cleaning response policy comprises indication information of thesecond diversion path, and wherein the indication information of thesecond diversion path instructs the second packet forwarding device tosend, through the second diversion path, the traffic flowing to thedestination IP address to the cleaning device for the cleaning process.9. The method according to claim 1, wherein the second packet forwardingdevice is one of the plurality of packet forwarding devices, or isexcluded from the plurality of packet forwarding devices.
 10. An attackprevention method, applied to a system comprising a controller and apacket forwarding device, comprising: receiving, by the packetforwarding device, a traffic statistics collection instruction from thecontroller, wherein the traffic statistics collection instruction isused by the packet forwarding device to perform traffic statisticscollection based on a destination Internet Protocol (IP) address, andwherein the traffic statistics collection instruction includes thedestination IP address; collecting, by the packet forwarding device,according to the traffic statistics collection instruction, a volume oftraffic flowing passing through the packet forwarding device to thedestination IP address; reporting, by the packet forwarding device,statistical data to the controller, wherein the statistical datacomprises the volume of traffic flowing passing through the packetforwarding device to the destination IP address; after the statisticaldata is reported, receiving, by the packet forwarding device, aprevention policy from the controller; and performing, by the packetforwarding device, prevention process on the traffic flowing to thedestination IP address based on the prevention policy.
 11. The methodaccording to claim 10, wherein the traffic statistics collectioninstruction further includes a detection start time, wherein thedetection start time indicates a start time of the traffic statisticscollection.
 12. The method according to claim 10, wherein the packetforwarding device performs the traffic statistics collectioncontinuously according to a detection period, and reports thestatistical data according to the detection period, and wherein afterreceiving the prevention policy from the controller, the method furthercomprises: receiving, by the packet forwarding device, a preventioncancellation instruction message from the controller so that the packetforwarding device stops executing the prevention policy based on thereceived prevention cancellation instruction message; and ceasing theprevention process on the traffic flowing to the destination IP addressbased on the prevention cancellation instruction message.
 13. The methodaccording to claim 10, wherein the prevention policy comprises any oneof: a black-hole route response policy instructing the packet forwardingdevice to perform, by configuring a black-hole route, packet discardingprocess on the traffic flowing to the destination IP address, whereinperforming the prevention process on the traffic flowing to thedestination IP address comprises performing, using the black-hole routeaccording to the black-hole route response policy, the packet discardingprocess on the traffic flowing to the destination IP address; a trafficlimiting response policy instructing the packet forwarding device toperform traffic limiting process on the traffic flowing to thedestination IP address, wherein performing the prevention process on thetraffic flowing to the destination IP address comprises performing,according to the traffic limiting response policy, the traffic limitingprocess on the traffic flowing to the destination IP address; a ratelimiting response policy instructing the packet forwarding device toperform rate limiting process on the traffic flowing to the destinationIP address, wherein performing the prevention process on the trafficflowing to the destination IP address comprises performing, according tothe rate limiting response policy, the rate limiting process on thetraffic flowing to the destination IP address; a discarding responsepolicy instructing the packet forwarding device to perform the packetdiscarding process on the traffic flowing to the destination IP address,wherein performing the prevention process on the traffic flowing to thedestination IP address comprises performing, according to the discardingresponse policy, the packet discarding process on the traffic flowing tothe destination IP address; a local cleaning response policy instructingthe packet forwarding device to locally perform cleaning process on thetraffic flowing to the destination IP address, wherein performing theprevention processing on the traffic flowing to the destination IPaddress comprises locally performing, according to the local cleaningresponse policy, the cleaning process on the traffic flowing to thedestination IP address; or a dynamic diversion and cleaning responsepolicy instructing the packet forwarding device to send the trafficflowing to the destination IP address to a cleaning device for thecleaning process, wherein performing the prevention process on thetraffic flowing to the destination IP address comprises sending,according to the dynamic diversion and cleaning response policy, thetraffic flowing to the destination IP address to the cleaning device forthe cleaning process.
 14. The method according to claim 13, wherein thestatistical data further comprises a load value of the packet forwardingdevice, wherein the dynamic diversion and cleaning response policycomprises indication information of a first diversion path, and theindication information of the first diversion path is used to instructthe packet forwarding device to send, through the first diversion path,the traffic flowing to the destination IP address to the cleaning devicefor cleaning processing, the first diversion path is a path with aminimum load between the packet forwarding device and the cleaningdevice, and the first diversion path goes through the packet forwardingdevice and the cleaning device, and and wherein the sending, accordingto the dynamic diversion and cleaning response policy, the trafficflowing to the destination IP address to the cleaning device forcleaning processing is performed by: sending, through the firstdiversion path according to the dynamic diversion and cleaning responsepolicy, the traffic flowing to the destination IP address to thecleaning device for cleaning processing.
 15. The method according toclaim 13, wherein the prevention policy is the dynamic diversion andcleaning response policy, wherein the dynamic diversion and cleaningresponse policy comprises indication information of a second diversionpath, wherein the indication information of the second diversion path isused by the packet forwarding device to send, through the seconddiversion path, the traffic flowing to the destination IP address to thecleaning device for the cleaning process, wherein the second diversionpath is a shortest path between the packet forwarding device and thecleaning device, and wherein sending the traffic flowing to thedestination IP address to the cleaning device for the cleaning processcomprises sending, through the second diversion path according to thedynamic diversion and cleaning response policy, the traffic flowing tothe destination IP address to the cleaning device for the cleaningprocess.
 16. A controller, comprising: a memory comprising instructions;a transceiver; and one or more processors coupled to the memory and thetransceiver, wherein the transceiver is configured to: deliver aplurality of traffic statistics collection instructions respectively toa plurality of forwarding devices, wherein each of the plurality oftraffic statistics collection instructions is used by a packetforwarding device of the plurality of forwarding devices to performtraffic statistics collection based on a destination Internet Protocol(IP) address, and wherein each of the traffic statistics collectioninstruction includes the destination IP address; and collect pieces ofstatistical data respectively reported by the plurality of forwardingdevices, wherein a first piece of the statistical data comprisesstatistical information of traffic flowing to the destination IP addressthrough a first forwarding device reporting the first piece of thestatistical data, wherein the one or more processors are configured to:obtain, based on the pieces of statistical data respectively reported bythe plurality of forwarding devices, a statistical value, wherein thestatistical value reflects traffic flowing to, via the plurality ofpacket forwarding devices, the destination IP address; and wherein thetransceiver is further configured to deliver a prevention policy to asecond packet forwarding device when the statistical value exceeds apreset threshold.
 17. A packet forwarding device, comprising: a memorycomprising instructions; a transceiver; and one or more processorscoupled to the memory and the transceiver, wherein the transceiver isconfigured to: receiving a traffic statistics collection instructionfrom the controller, wherein the traffic statistics collectioninstruction is used by the packet forwarding device to perform trafficstatistics collection based on a destination Internet Protocol (IP)address, and wherein the traffic statistics collection instructionincludes the destination IP address; wherein the one or more processorsare configured to: collecting, according to the traffic statisticscollection instruction, a volume of traffic flowing passing through thepacket forwarding device to the destination IP address; wherein thetransceiver is further configured to: reporting statistical data to thecontroller, wherein the statistical data comprises the volume of trafficflowing passing through the packet forwarding device to the destinationIP address; after the statistical data is reported, receiving aprevention policy from the controller; and wherein the one or moreprocessors are further configured to: performing prevention process onthe traffic flowing to the destination IP address according to theprevention policy.
 18. The packet forwarding device according to claim17, wherein the one or more processors are further configured to:perform the traffic statistics collection continuously according to adetection period, and instruct the transceiver reporting the statisticaldata according to the detection period, wherein the transceiver isfurther configured to: after receiving the prevention policy from thecontroller, receiving a prevention cancellation instruction message fromthe controller so that the packet forwarding device stops executing theprevention policy based on the received prevention cancellationinstruction message; and wherein the one or more processors are furtherconfigured to: ceasing the prevention process on the traffic flowing tothe destination IP address based on the prevention cancellationinstruction message.
 19. The packet forwarding device according to claim16, wherein the prevention policy comprises any one of the followingresponse policies: a black-hole route response policy instructing thepacket forwarding device to perform, by configuring a black-hole route,packet discarding process on the traffic flowing to the destination IPaddress, wherein performing the prevention process on the trafficflowing to the destination IP address comprises performing, using theblack-hole route according to the black-hole route response policy, thepacket discarding process on the traffic flowing to the destination IPaddress; a traffic limiting response policy instructing the packetforwarding device to perform traffic limiting process on the trafficflowing to the destination IP address, wherein performing the preventionprocess on the traffic flowing to the destination IP address comprisesperforming, according to the traffic limiting response policy, thetraffic limiting process on the traffic flowing to the destination IPaddress; a rate limiting response policy instructing the packetforwarding device to perform rate limiting process on the trafficflowing to the destination IP address, wherein performing the preventionprocess on the traffic flowing to the destination IP address comprisesperforming, according to the rate limiting response policy, the ratelimiting process on the traffic flowing to the destination IP address; adiscarding response policy instructing the packet forwarding device toperform the packet discarding process on the traffic flowing to thedestination IP address, wherein performing the prevention process on thetraffic flowing to the destination IP address comprises performing,according to the discarding response policy, the packet discardingprocess on the traffic flowing to the destination IP address; a localcleaning response policy instructing the packet forwarding device tolocally perform cleaning process on the traffic flowing to thedestination IP address, wherein performing the prevention processing onthe traffic flowing to the destination IP address comprises locallyperforming, according to the local cleaning response policy, thecleaning process on the traffic flowing to the destination IP address;or a dynamic diversion and cleaning response policy instructing thepacket forwarding device to send the traffic flowing to the destinationIP address to a cleaning device for the cleaning process, whereinperforming the prevention process on the traffic flowing to thedestination IP address comprises sending, according to the dynamicdiversion and cleaning response policy, the traffic flowing to thedestination IP address to the cleaning device for the cleaning process.20. The packet forwarding device according to claim 19, wherein thestatistical data further comprises a load value of the packet forwardingdevice, wherein the dynamic diversion and cleaning response policycomprises indication information of a first diversion path, and theindication information of the first diversion path is used to instructthe packet forwarding device to send, through the first diversion path,the traffic flowing to the destination IP address to the cleaning devicefor cleaning processing, the first diversion path is a path with aminimum load between the packet forwarding device and the cleaningdevice, and the first diversion path goes through the packet forwardingdevice and the cleaning device; wherein the transceiver is furtherconfigured to: send, through the first diversion path according to thedynamic diversion and cleaning response policy, the traffic flowing tothe destination IP address to the cleaning device for cleaningprocessing.